Summary
| Parameter | Value |
|---|---|
| CVE ID | CVE-2026-37539 |
| Alert Source | GitHub Advisory - Critical Vulnerability |
| CVE Publication Year | 2026 |
| Date Published | 2026-05-01 |
| Vendor | cannelloni |
| Product | cannelloni |
| CVSS Score | 9.8 (critical) |
| EPSS Score | No data |
| CISA KEV | No |
| Ransomware | Not confirmed |
Vulnerability Description
Buffer overflow vulnerability in cannelloni v2.0.0 in CAN frame parsing in parser.cpp in function parseCANFrame, and decoder.cpp in function decodeFrame, allowing remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted CAN FD frames.
Required Actions
Update cannelloni to a release newer than 2.0.0 that contains the fix. Until updated, restrict network access to hosts running cannelloni - especially ports receiving CAN-over-UDP traffic. In automotive and industrial deployments, enforce network segmentation and monitor CAN-over-IP traffic for unusual frames.
Who Is Affected?
This vulnerability affects the cannelloni project (CAN-over-UDP tunnelling). Check whether your organization uses this software in automotive, robotics, or IoT deployments and roll out the update.
Sources
Need help securing your systems? nFlo team offers vulnerability management and 24/7 SOC services. Contact us.
