High

Integer underflow and out-of-bounds read in driftregion iso14229 Handle_0x27_SecurityAccess

IdentifiersCVE-2026-54413CWE-191· Integer Underflow (Wrap or…

CVE-2026-54413 affects driftregion iso14229 through 0.9.0. The flaw is in Handle_0x27_SecurityAccess() in iso14229.c, where the handler reads the SecurityAccess subFunction from recv_buf[1] without first verifying that recv_len is at least 2. It then computes the key-data length as (uint16_t)(recv_len - UDS_0X27_REQ_BASE_LEN). When recv_len is 1, this subtraction underflows to 65535, and the resulting oversized length is passed as args.len to the application's SecAccessValidateKey or SecAccessRequestSeed callback. Those callbacks typically iterate over or copy that many bytes from the 4-KB receive buffer, causing a downstream out-of-bounds read. The issue can be triggered by sending a single-byte 0x27 SecurityAccess request after any earlier well-formed 0x27 message. The vulnerable path is reachable over CAN bus, OBD-II, ISO-TP, and DoIP, and is exposed in the default diagnostic session without prior authentication.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a remote unauthenticated attacker to crash the UDS server, resulting in denial of service. Because the underflowed length can drive callback logic to iterate over or copy data far beyond the valid request boundary, exploitation may also cause out-of-bounds reads past the receive buffer and potentially expose adjacent memory contents. Affected deployments include automotive ECUs, industrial controllers, and IoT devices using iso14229 as their UDS server.

Mitigation

If you can’t patch tonight, do this now.

Until a fixed release is deployed, reduce exposure of UDS SecurityAccess service 0x27 over CAN bus, OBD-II, ISO-TP, and DoIP wherever possible. Limit access to diagnostic interfaces, disable or gate unauthenticated access to the default diagnostic session if operationally feasible, and add defensive input-length validation in integrator callback code such as SecAccessValidateKey and SecAccessRequestSeed so that malformed requests with insufficient length or implausible args.len values are rejected before any iteration or copy occurs.

Remediation

Patch, then assume compromise.

Upgrade driftregion iso14229 to a version newer than 0.9.0 once a fixed release is available. The vulnerable handler should be corrected to enforce a recv_len lower-bound check before accessing recv_buf[1] and before computing or using SecurityAccess key-data lengths, consistent with the explicit length validation already present in other UDS sub-function handlers in the library.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app

cvefeed high severityNews

Jun 14, 2026

CVE-2026-54413 - DriftRegion UDS Integer Underflow Out-of-Bounds Read

An integer underflow and out-of-bounds read vulnerability in driftregion iso14229 through 0.9.0, in Handle_0x27_SecurityAccess(), allowing remote unauthenticated attackers to crash a UDS server and potentially read memory past the receive buffer.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity6

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-54413

NVD

nvd.nist.gov/vuln/detail/CVE-2026-54413

MITRE CWE · CWE-191

Integer Underflow (Wrap or Wraparound)

github.com

github.com/driftregion/iso14229

github.com

github.com/driftregion/iso14229/blob/main/iso14229.c