CVE-2026-54413

Vulnerability

In the iso14229 library through version 0.9.0, the Handle_0x27_SecurityAccess() function in iso14229.c [4] contains an integer underflow and subsequent out-of-bounds read. The handler reads the SecurityAccess subFunction from recv_buf[1] without first verifying that recv_len is at least 2. When a single-byte 0x27 request is received, recv_len equals 1, and the computation (uint16_t)(recv_len - UDS_0X27_REQ_BASE_LEN) underflows to 65535. This value is passed as args.len to the application's SecAccessValidateKey or SecAccessRequestSeed callback, which then iterates or copies that many bytes from the 4-KB receive buffer. Every other UDS sub-function handler in the library performs an explicit lower-bound check; Handle_0x27_SecurityAccess is the sole outlier [3].

Exploitation

An unauthenticated remote attacker can trigger the vulnerability by sending a single-byte 0x27 SecurityAccess request over any supported transport (CAN bus, OBD-II, ISO-TP, DoIP) after having sent any earlier well-formed 0x27 message. No prior authentication or special session is required; the handler is exposed in the default diagnostic session. The attacker does not need any special privileges or network position beyond the ability to send UDS frames to the target server [3].

Impact

Successful exploitation causes the UDS server to read up to 65535 bytes from the receive buffer, which is only 4 KB in size. This out-of-bounds read [1] can crash the server (denial of service) and may leak sensitive memory contents past the intended buffer. The integer underflow [2] is the root cause that enables the oversized read. The impact is limited to information disclosure and denial of service; remote code execution is not described in the available references.

Mitigation

As of the publication date (2026-06-14), no fixed version of iso14229 has been released. The library is at major version zero (API unstable) [3]. Users should apply a local patch to Handle_0x27_SecurityAccess() that adds a recv_len < 2 check before indexing recv_buf[1] and computing the key-data length. Until a patched version is available, disabling the 0x27 SecurityAccess service or restricting network access to the UDS server can reduce exposure. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog at this time.