Feng Ning

**Name of the Vulnerable Software and Affected Versions** agl-service-can-low-level (affected versions not specified) **Description** A stack buffer overflow exists in the uds-c library. The `send diagnostic request()` function in uds.c allocates a 6-byte stack buffer but copies up to 7 bytes via memcpy at an offset of 1+pid length (2-3 bytes), allowing 1-4 bytes of controlled stack overflow. This occurs because the `payload length` variable lacks a bounds check against the destination buffer. On 32-bit ARM automotive ECUs without stack canaries (security mechanisms that detect stack buffer overflows), this can lead to return address overwrite and remote code execution. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** hashcat version 7.1.2 **Description** A stack-based buffer overflow occurs in the `mangle to hex lower()` and `mangle to hex upper()` functions within `src/rp cpu.c`. This issue arises from a bounds check that fails to account for the 2x expansion when password bytes are converted to hexadecimal. An attacker can exploit this via a crafted rule file or by using the `-j` or `-k` rule options with password candidates of 128 characters or more, potentially leading to a denial of service or arbitrary code execution. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** hashcat version 7.1.2 **Description** A heap-based buffer overflow exists in the Kerberos hash parser. The issue occurs within the `module hash decode()` function across several Kerberos-related modules. It is caused by the `account info len` variable being calculated from untrusted delimiter positions without upper-bound validation before the data is copied into a fixed-size `account info` buffer using `memcpy()`. This can lead to a denial of service or the execution of arbitrary code when processing a specially crafted Kerberos hash file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Open CASCADE Technology (OCCT) version V8 0 0 rc5 **Description** A heap-based out-of-bounds read in the OBJ file parser occurs within the `RWObj Reader::read` function. This happens because `Standard ReadLineBuffer::ReadLine()` may return a 1-byte buffer for a minimal OBJ line, and `RWObj Reader::read()` subsequently calls `pushIndices(aLine + 2)` without validating the buffer length. User-assisted attackers can exploit this by persuading a victim to open a specially crafted OBJ file, potentially leading to a denial of service or the disclosure of sensitive information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Open CASCADE Technology (OCCT) version V8 0 0 rc5 **Description** A flaw in the VRML V2.0 parser allows attackers to cause a denial of service through a specially crafted VRML file. The issue occurs within the `VrmlData IndexedFaceSet::TShape` function in the `libTKDEVRML.so` library, where malformed input can trigger the dereference of a corrupt or unvalidated pointer during shape construction. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Open CASCADE Technology (OCCT) version V8 0 0 rc5 **Description** An out-of-bounds read in the VRML parser occurs within the `VrmlData IndexedLineSet::TShape` function. This issue allows attackers to cause a denial of service by using a crafted VRML file. The flaw exists because `coordIndex` values from the parsed input are used as direct array indices without being validated against the size of the coordinate array during geometry processing. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Open CASCADE Technology (OCCT) version V8 0 0 rc5 **Description** A stack-based out-of-bounds read in the VRML parser occurs within the `VrmlData Scene::ReadLine()` function. The quoted-string escape handler utilizes `ptr[++anOffset]` without adequate bounds checking, which may lead to reading data beyond the end of a fixed-size stack buffer. This can be exploited by an attacker using a specially crafted VRML file to cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Open CASCADE Technology (OCCT) version V8 0 0 rc5 **Description** Multiple issues exist in the IGES and STEP file parsers that can be triggered by crafted files. These include an out-of-bounds read (reading data outside the intended boundary of a buffer) in the `Geom2d BSplineCurve::EvalD0` function during IGES B-spline curve evaluation, an out-of-bounds read in the `MakeBSplineCurveCommon` function during STEP B-spline curve construction, and infinite recursion (a function calling itself without a termination condition) in the `StepShape OrientedEdge::EdgeStart` function when processing a self-referential OrientedEdge entity. Exploitation may lead to denial of service or unintended memory disclosure. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** agl-service-can-low-level versions prior to 17.1.12 **Description** A stack buffer overflow exists in the uds-c library. The `send diagnostic request()` function in uds.c allocates a 6-byte stack buffer but copies up to 7 bytes via memcpy at an offset of 1+pid length, allowing 1-4 bytes of controlled stack overflow. This occurs because the `payload length` variable lacks a bounds check against the destination buffer. On 32-bit ARM automotive ECUs without stack canaries (security mechanisms that detect stack buffer overflows), this can lead to return address overwrite and remote code execution (RCE). **Recommendations** Update to version 17.1.12 or later.

**Name of the Vulnerable Software and Affected Versions** AGL app-framework-main versions 17.1.12 and earlier **Description** A Zip Slip path traversal issue combined with a Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the widget installation flow. The `is valid filename()` function in `wgtpkg-zip.c` fails to check for dot notation directory traversal sequences, blocking only absolute paths. Consequently, the `zread()` extraction function uses `openat(workdirfd, filename, O CREAT)`, which resolves dot notation relative to the work directory, enabling files to be written anywhere on the filesystem. In the `install widget()` function within `wgtpkg-install.c`, extraction via `zread()` occurs before signature verification via `check all signatures()`. If signature verification fails, the `remove workdir()` cleanup process only deletes the temporary work directory, leaving files written outside that directory via path traversal permanently on the system. **Recommendations** Update to a version later than 17.1.12. As a temporary workaround, restrict write permissions to the filesystem to minimize the risk of arbitrary file writes during widget installation.

**Name of the Vulnerable Software and Affected Versions** AGL agl-service-can-low-level versions prior to 17.1.12 **Description** A heap buffer over-read exists in the isotp-c library. In the `isotp continue receive()` function, the `payload length` for a Single Frame is extracted from a 4-bit nibble in the CAN frame data, which can result in values from 0 to 15. Since a standard CAN frame is only 8 bytes and the payload starts at `data[1]`, only 7 bytes are available. If the `payload length` exceeds the available data, the `memcpy()` function reads up to 8 bytes beyond the end of the data buffer. **Recommendations** Update to a version newer than 17.1.12.

**Name of the Vulnerable Software and Affected Versions** Open-SAE-J1939 versions prior to commit b6caf884df46435e539b1ecbf92b6c29b345bdfe **Description** An integer underflow exists in the `SAE J1939 Read Transport Protocol Data Transfer()` function. This allows attackers to write to arbitrary memory by using a crafted sequence number from the CAN frame. **Recommendations** Update to a version containing commit b6caf884df46435e539b1ecbf92b6c29b345bdfe.

**Name of the Vulnerable Software and Affected Versions** openxc/isotp-c versions prior to commit 5a5d19245f65189202719321facd49ce6f5d46ac **Description** An out-of-bounds read exists in the ISO-TP Single Frame receive handler. The issue occurs because the 4-bit payload length nibble is used directly as the `memcpy` size without validation against the actual CAN data length. A malicious CAN frame with an oversized length nibble can trigger memory reads beyond the buffer, potentially leading to a denial of service or the exposure of sensitive information. **Recommendations** Update to a version of openxc/isotp-c released after commit 5a5d19245f65189202719321facd49ce6f5d46ac.

**Name of the Vulnerable Software and Affected Versions** miaofng/uds-c versions prior to commit e506334e270d77b20c0bc259ac6c7d8c9b702b7a **Description** A stack buffer overflow exists in the `send diagnostic request()` function. The issue occurs because a 6-byte stack buffer, defined by `MAX DIAGNOSTIC PAYLOAD SIZE`, receives a `memcpy` operation with `payload length` bytes at an offset of 1 plus `pid length`. Since `MAX UDS REQUEST PAYLOAD LENGTH` is 7, the total size can reach 10 bytes, exceeding the buffer by 4 bytes due to a lack of bounds checking on `payload length` before the memory copy. **Recommendations** Update to a version that includes the fix implemented in commit e506334e270d77b20c0bc259ac6c7d8c9b702b7a.

**Name of the Vulnerable Software and Affected Versions** collin80/Open-SAE-J1939 versions prior to commit 744024d4306bc387857dfce439558336806acb06 **Description** An integer underflow exists in the Transport Protocol Data Transfer handling. When the sequence number from a CAN frame, represented by the variable `data[0]`, is 0, the `index` variable underflows to 255. This leads to an out-of-bounds write where data is written to an offset of 1791, exceeding the 1785-byte `MAX TP DT` buffer by 6 bytes. **Recommendations** Update to a version containing commit 744024d4306bc387857dfce439558336806acb06 or later.

**Name of the Vulnerable Software and Affected Versions** socketcand version 0.4.2 **Description** A buffer overflow occurs in the `main()` function within the `socketcand.c` file. This issue allows attackers to cause a denial of service or other unspecified impacts by using a crafted `bus name` variable. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenAMP version 2025.10.0 **Description** The ELF loader contains an integer overflow during firmware image parsing. In the `elf loader.c` file, the system multiplies two attacker-controlled 16-bit values from the ELF header without performing overflow checks. On 32-bit embedded systems such as STM32MP1, Zynq, and i.MX, providing large values can cause the resulting product to wrap around to a small value. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Open Vehicle Monitoring System 3 (OVMS3) version 3.3.005 **Description** A buffer overflow exists in the `canformat gvret.cpp` file. The length field in GVRET binary data is not properly validated, which allows remote attackers to cause a denial of service or potentially execute arbitrary code by sending crafted GVRET frames. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Open-SAE-J1939 versions prior to commit b6caf884df46435e539b1ecbf92b6c29b345bdfe **Description** A denial of service can be triggered via a crafted CAN frame on the J1939 bus within the `SAE J1939 Read Binary Data Transfer DM16()` function. **Recommendations** Update to a version following commit b6caf884df46435e539b1ecbf92b6c29b345bdfe. As a temporary workaround, consider restricting access to the `SAE J1939 Read Binary Data Transfer DM16()` function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Open Vehicle Monitoring System 3 (OVMS3) version 3.3.005 **Description** A buffer overflow occurs in `canformat pcap.cpp` because the parser's `phdr.len` field is not properly validated. This allows remote attackers to cause a denial of service or potentially execute arbitrary code by providing crafted PCAP input. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.