The vulnerability in openxc/isotp-c arises from improper validation of the 4-bit payload length nibble in the ISO-TP Single Frame receive handler. The code uses this nibble directly as the size parameter for memcpy without verifying it against the actual CAN data length, resulting in an out-of-bounds read. This flaw can be triggered by sending a malicious CAN frame with an oversized length nibble, leading to memory reads beyond the buffer boundary. The CVSS 3.1 score is 7.1, indicating high severity with network attack vector, low complexity, no privileges required, and no user interaction needed. The impact includes denial of service and potential information disclosure. There is no vendor advisory or patch information available at this time.

An attacker capable of sending crafted CAN frames can exploit this vulnerability to cause out-of-bounds memory reads. This can result in denial of service conditions or unauthorized disclosure of sensitive information from memory. The vulnerability does not require privileges or user interaction and can be exploited remotely over the CAN network. The confidentiality impact is low, integrity is not affected, and availability impact is high.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider restricting or validating CAN frame inputs to prevent oversized length nibbles from being processed. Monitor for updates from the openxc/isotp-c maintainers regarding patches or mitigations.