This vulnerability exists in cannelloni v2.0.0 within the CAN frame parsing code, specifically in parser.cpp (parseCANFrame) and decoder.cpp (decodeFrame). A buffer overflow can be triggered remotely by sending specially crafted CAN FD frames, potentially leading to denial of service or arbitrary code execution. The CVSS 3.1 base score is 9.8, reflecting critical severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed. The vulnerability was published on 2026-05-01, but no patch or remediation level has been provided by the vendor or authoritative sources.

Successful exploitation can cause a denial of service by crashing the affected application or may allow remote code execution, compromising system confidentiality, integrity, and availability. The vulnerability requires no privileges and no user interaction, making it highly exploitable over the network. However, no known exploits are currently reported in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider restricting exposure of the vulnerable service to untrusted networks and monitor for unusual activity related to CAN FD frame processing.