CVE-2026-54413 PUBLISHED

Assigner: TuranSec
Reserved: 13.06.2026 Published: 14.06.2026 Updated: 14.06.2026

driftregion iso14229 through 0.9.0 contains an integer underflow and downstream out-of-bounds read in the Handle_0x27_SecurityAccess() function in iso14229.c that allows a remote unauthenticated attacker to crash a UDS server and potentially read memory past the receive buffer by sending a single-byte 0x27 SecurityAccess request that follows any earlier well-formed 0x27 message. The handler reads the SecurityAccess subFunction from recv_buf[1] without first checking that recv_len is at least 2, then computes the key-data length as the unsigned subtraction (uint16_t)(recv_len - UDS_0X27_REQ_BASE_LEN); when recv_len equals 1 the result underflows to 65535 and is passed as args.len to the application's SecAccessValidateKey or SecAccessRequestSeed callback, which typically iterates or copies that many bytes from the 4-KB receive buffer. Every other UDS sub-function handler in the library (0x10, 0x11, 0x14, 0x19, 0x22, 0x23, 0x28, and others) performs an explicit recv_len lower-bound check before indexing; Handle_0x27_SecurityAccess is the sole outlier. The vulnerable handler reaches over CAN bus, OBD-II, ISO-TP, and DoIP transports and is exposed in the default diagnostic session without prior authentication; deployments on automotive ECUs, industrial controllers, and IoT devices that ship iso14229 as their UDS server are affected.

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/AU:Y/V:D
CVSS Score: 7.8

A remote attacker on the same diagnostic transport (CAN/OBD-II/ISO-TP/DoIP) sends one well-formed SecurityAccess request followed by a single-byte 0x27 frame; the second frame triggers the integer underflow in Handle_0x27_SecurityAccess and the application's SecAccessValidateKey or SecAccessRequestSeed callback then reads up to 65535 bytes past the 4-KB receive buffer, crashing the UDS server process or the bare-metal ECU.

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	Low	Confidentiality	None
Attack Complexity	Low	Integrity	None	Integrity	None
Attack Requirements	None	Availability	High	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
CVSS Score: 8.2

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	driftregion
Product	iso14229
Versions	Default: unknown affected from 0 to 0.9.0 (incl.)

Credits

Burxonov Muslimbek finder

References

Problem Types

CWE-191 Integer Underflow (Wrap or Wraparound) CWE
CWE-125 Out-of-bounds Read CWE

Impacts

A remote unauthenticated attacker who can send a single SecurityAccess (SID 0x27) UDS request to a server built on iso14229 - over CAN bus, OBD-II, ISO-TP, or DoIP - crashes the diagnostic server process and may incidentally read up to roughly 64 KB of memory past the receive buffer through the callback the underflowed length is handed to. In automotive and industrial deployments this denies UDS diagnostics for the affected ECU or controller and, on bare-metal targets without memory protection, the resulting hard fault can take the whole control loop down for the duration of the watchdog reset cycle. No prior authentication, no SecurityAccess unlock, and no user interaction are required - the SecurityAccess handler is reachable in the default session.