CVE-2026-37530 Automotive Grade Linux CVE debrief

Who should care

Automotive OEMs, Tier 1 suppliers, fleet operators, and embedded security teams using Automotive Grade Linux images that include agl-service-can-low-level at version 17.1.12 or earlier. Teams responsible for diagnostic-service exposure, 32-bit ARM ECU builds, and compiler/runtime hardening should also review this CVE.

Technical summary

The supplied CVE description says send_diagnostic_request in uds.c allocates a 6-byte stack buffer (MAX_DIAGNOSTIC_PAYLOAD_SIZE=6) but can copy up to 7 bytes (MAX_UDS_REQUEST_PAYLOAD_LENGTH=7) with memcpy at an offset of 1+pid_length, where pid_length may be 2 or 3 bytes. That combination can yield a 1-4 byte controlled stack overflow because the uint8_t payload_length field is not bounded against the destination size. The impact described in the source is conditional: on 32-bit ARM automotive ECUs without stack canaries, overwrite of the return address may be possible, potentially leading to remote code execution. NVD lists the vulnerability status as Analyzed and associates it with CWE-121.

Defensive priority

High for any exposed or fleet-managed AGL deployment using agl-service-can-low-level at or below 17.1.12. Prioritize patch verification and fleet inventorying now, and treat systems without strong stack protections as especially urgent.

Recommended defensive actions

• Inventory all Automotive Grade Linux deployments and confirm whether agl-service-can-low-level is present at version 17.1.12 or earlier.
• Apply the vendor fix or a newer release as soon as it is available; if patches are not yet deployed, track remediation as a priority item.
• Reduce exposure of diagnostic-request paths where feasible, especially on systems that do not need remote access to the affected service.
• Rebuild or redeploy with available compiler and runtime hardening enabled, including stack canaries and other memory-safety mitigations where supported by the platform.
• Validate the affected code path for length checks and buffer sizing in a controlled test environment before release; do not rely on assumptions about the payload field.
• Monitor for vendor or downstream AGL advisories, since the supplied corpus contains only a third-party advisory and a broken vendor reference.

Evidence notes

Source timing used here is the supplied CVE publication date of 2026-05-01 and modified date of 2026-05-20. The official NVD record marks the CVE as Analyzed, lists CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, and maps the weakness to CWE-121. The vulnerable CPE criterion in the supplied metadata is Automotive Grade Linux through version 17.1.12. The corpus also says the CVE is not in KEV. One cited vendor reference is tagged Broken Link, so this debrief relies on the official CVE/NVD records plus the supplied third-party advisory reference for context.

Official resources