CVE-2026-49316
Description
Expected behavior violation in the in-vehicle network of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker to bypass the motorcycle's anti-theft shutdown by forcing the Wireless Control Module (WCM) into the CAN bus-off state. Using a well-known CAN error-frame injection technique against a periodic WCM transmission, the attacker drives the WCM CAN controller's transmit error counter past the bus-off threshold, after which the WCM stops transmitting all messages, including the shutdown command. Peer ECUs do not interpret WCM silence as a security event and continue normal operation, allowing the motorcycle to be operated despite the immobilizer never having been unlocked. Specific protocol details have been withheld pending vendor remediation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adjacent-network attacker can bypass the motorcycle's anti-theft shutdown by forcing the WCM into CAN bus-off state via error-frame injection.
Vulnerability
CVE-2026-49316 is a vulnerability in the in-vehicle network of the Indian Motorcycle Scout Bobber + Tech (2025 model year). The Wireless Control Module (WCM) is responsible for transmitting shutdown commands on the CAN bus for anti-theft purposes. However, the system does not handle WCM silence as a security event. An adjacent attacker can exploit CWE-440 (Expected Behavior Violation) [1] by injecting targeted error frames to drive the WCM's CAN controller past the bus-off threshold, causing it to cease all transmissions. Affected versions are the 2025 model year vehicles.
Exploitation
An attacker must be within the CAN bus's physical proximity (adjacent network) to send error frames. The attack leverages a well-known technique: the attacker identifies a periodic message from the WCM and responds with repeated error frames, increasing the WCM's transmit error counter. Once the counter exceeds the bus-off limit (typically 255 for CAN 2.0), the WCM controller automatically disconnects from the bus. No authentication or special permissions are required beyond network access.
Impact
Successful exploitation causes the WCM to stop transmitting the shutdown command. Other ECUs (Engine Control Unit, etc.) continue normal operation because they do not treat WCM silence as a security event. This allows the motorcycle to be operated despite the anti-theft immobilizer never having been unlocked, effectively bypassing the theft protection mechanism.
Mitigation
According to public information, the vendor has not released a fix as of 2026-05-29. The reference advisory has withheld specific protocol details pending vendor remediation [1]. No workaround or patch is available in the provided sources. This vulnerability is not listed in CISA KEV as of the publication date.
AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: 2025 model year
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
1News mentions
0No linked articles in our index yet.