Vulnerability Description
AGL agl-service-can-low-level contains a stack buffer overflow in the uds-c library. The send_diagnostic_request function in uds.c allocates a 6-byte stack buffer (MAX_DIAGNOSTIC_PAYLOAD_SIZE=6) but copies up to 7 bytes (MAX_UDS_REQUEST_PAYLOAD_LENGTH=7) via memcpy at an offset of 1+pid_length (2-3 bytes), resulting in 1-4 bytes of controlled stack overflow. The payload_length field (uint8_t) has no bounds check against the destination buffer. On 32-bit ARM automotive ECUs without stack canaries, this can lead to return address overwrite and RCE.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://gerrit.automotivelinux.org/gerrit/apps/agl-service-can-low-level
- https://gist.github.com/sgInnora/8526eedcfd826d05ef1fc45d8f405643
FAQ
What is CVE-2026-42485?
CVE-2026-42485 is a vulnerability with a CVSS score of 7.5 (HIGH). AGL agl-service-can-low-level contains a stack buffer overflow in the uds-c library. The send_diagnostic_request function in uds.c allocates a 6-byte stack buffer (MAX_DIAGNOSTIC_PAYLOAD_SIZE=6) but c...
How severe is CVE-2026-42485?
CVE-2026-42485 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-42485?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.