VYPR
← All advisories
High severity7.5NVD Advisory· Published May 26, 2026

CVE-2026-43988

CVE-2026-43988

Description

Vanetza is an open-source implementation of the ETSI C-ITS protocol suite. In 26.02 and earlier, a denial-of-service vulnerability was identified in the ASN.1/OER parsing pipeline of Vanetza. When processing malformed network packets containing corrupted ASN.1/OER structures (e.g., invalid length fields or malformed certificate encoding), the ASN.1 wrapper (asn1c_wrapper.cpp) raises a std::runtime_error. This exception is not caught at the parsing boundary and propagates to std::terminate, resulting in process termination. This vulnerability is fixed with commit 62dfe58a8342512b6e1947d75821402ada524f1a.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Vanetza 26.02 and earlier terminate due to an uncaught exception when processing malformed ASN.1/OER packets, enabling remote denial of service.

Vulnerability

In Vanetza 26.02 and earlier, the ASN.1/OER parsing pipeline contains a denial-of-service vulnerability. The ASN.1 wrapper (asn1c_wrapper.cpp) raises std::runtime_error when processing malformed network packets containing corrupted ASN.1/OER structures (e.g., invalid length fields or malformed certificate encoding). This exception is not caught at the parsing boundary and propagates to std::terminate, resulting in process termination. The vulnerable code path is reachable from the network-facing packet processing entry point via Router::indicate [1].

Exploitation

An unauthenticated remote attacker can send a crafted packet to the vulnerable process. The packet must contain malformed ASN.1/OER data (e.g., invalid length fields or malformed certificate encoding). Upon ingestion, the parsing routine throws an exception that is not handled, leading to std::terminate. A reproduction using a fuzzing harness and a minimized proof-of-concept file (poc_type_c.bin) confirms the behavior [1]. No authentication or prior access is required.

Impact

Successful exploitation causes the Vanetza process to terminate immediately, resulting in a reliable denial of service. The application becomes unavailable, affecting all services relying on the C-ITS protocol stack. There is no confidentiality or integrity impact; the attack solely targets availability [1].

Mitigation

The vulnerability is fixed in commit 62dfe58a8342512b6e1947d75821402ada524f1a, which introduces exception handling in the canonicalize function for certificates, catching exceptions and returning boost::none instead of crashing [2]. Users should update to a version that includes this commit. If an immediate update is not possible, network-level filtering of malformed ASN.1/OER packets may reduce risk, but no complete workaround is provided. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of publication [1].

References
  1. Remote Denial of Service via Uncaught Exception in ASN.1/OER Parsing
  2. security: don't throw when creating a canonical v3 certificate · riebl/vanetza@62dfe58

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Riebl/Vanetzareferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: <=26.02

Patches

1
62dfe58a8342

security: don't throw when creating a canonical v3 certificate

https://github.com/riebl/vanetzaRaphael RieblApr 26, 2026via text-mined
commit
1 file changed · +11 2
  • vanetza/security/v3/certificate.cpp+11 2 modified
    @@ -286,9 +286,8 @@ boost::optional<Certificate> CertificateView::canonicalize() const
     return m_cert ? v3::canonicalize(*m_cert) : boost::none;
 }
 
-boost::optional<Certificate> canonicalize(const asn1::EtsiTs103097Certificate& cert)
+static boost::optional<Certificate> canonicalize(Certificate&& canonical)
 {
-    Certificate canonical { cert };
     bool success = true;
 
     if (canonical->toBeSigned.verifyKeyIndicator.present == Vanetza_Security_VerificationKeyIndicator_PR_verificationKey) {
@@ -336,6 +335,16 @@ boost::optional<Certificate> canonicalize(const asn1::EtsiTs103097Certificate& c
     }
 }
 
+boost::optional<Certificate> canonicalize(const asn1::EtsiTs103097Certificate& cert)
+{
+    try {
+        Certificate copy { cert };
+        return canonicalize(std::move(copy));
+    } catch (const std::exception&) {
+        return boost::none;
+    }
+}
+
 boost::optional<HashedId8> calculate_digest_internal(const asn1::EtsiTs103097Certificate& cert, KeyType key_type)
 {
     boost::optional<HashedId8> digest;

Vulnerability mechanics

Root cause

"Uncaught std::runtime_error from ASN.1/OER parsing propagates to std::terminate, causing denial of service."

Attack vector

An attacker sends a malformed network packet containing a corrupted ASN.1/OER structure (e.g., invalid length fields or malformed certificate encoding) to a Vanetza-based service. When the packet reaches the ASN.1 wrapper (asn1c_wrapper.cpp) and is processed by the canonicalize function, the malformed data triggers a std::runtime_error. Because the exception is not caught at the parsing boundary, it propagates to std::terminate, killing the process. No authentication or special network position is required [ref_id=1].

Affected code

The vulnerability is in the ASN.1/OER parsing pipeline, specifically in the canonicalize function in vanetza/security/v3/certificate.cpp. The constructor call `Certificate copy { cert }` can throw a std::runtime_error when processing malformed ASN.1/OER data, and this exception was previously uncaught [patch_id=2592769]. The advisory also identifies asn1c_wrapper.cpp as the source of the thrown runtime_error [ref_id=1].

What the fix does

The patch wraps the Certificate constructor call inside canonicalize(const asn1::EtsiTs103097Certificate& cert) in a try-catch block that catches std::exception and returns boost::none instead of letting the exception propagate [patch_id=2592769]. The inner canonicalize function is made static and accepts an already-constructed Certificate&&, separating the throwing construction from the non-throwing canonicalization logic. This ensures that malformed ASN.1/OER input results in a graceful optional-empty return rather than process termination.

Preconditions

  • networkAttacker must be able to send network packets to a Vanetza-based service that processes ASN.1/OER-encoded certificates.
  • inputThe malformed packet must contain corrupted ASN.1/OER structures (e.g., invalid length fields or malformed certificate encoding).
  • authNo authentication or prior access is required.

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.