The driftregion iso14229 library up to version 0.9.0 contains an integer underflow vulnerability in the Handle_0x27_SecurityAccess() function within iso14229.c. When processing a 0x27 SecurityAccess request, the function reads the subFunction byte from recv_buf[1] without verifying that the received message length (recv_len) is at least 2. If recv_len equals 1, the calculation (uint16_t)(recv_len - UDS_0X27_REQ_BASE_LEN) underflows to 65535, causing the application to pass an excessively large length to SecAccessValidateKey or SecAccessRequestSeed callbacks. These callbacks typically iterate or copy that many bytes from the 4-KB receive buffer, resulting in an out-of-bounds read and potential crash of the UDS server. This vulnerability is unique to the 0x27 handler, as other UDS sub-function handlers perform proper length checks. The vulnerability is exploitable remotely without authentication over CAN bus, OBD-II, ISO-TP, and DoIP transports in the default diagnostic session. It affects devices such as automotive ECUs, industrial controllers, and IoT devices using this library as their UDS server.

A remote unauthenticated attacker can send a crafted single-byte 0x27 SecurityAccess request to cause an integer underflow in the key-data length calculation. This leads to an out-of-bounds read of memory beyond the receive buffer, potentially crashing the UDS server and causing denial of service. Additionally, the attacker may read memory contents past the intended buffer, which could lead to information disclosure. The vulnerability affects devices using the iso14229 library as their UDS server, including automotive ECUs, industrial controllers, and IoT devices. The CVSS 4.0 score of 7.8 reflects high severity with network attack vector, low attack complexity, no privileges or user interaction required, and high impact on availability.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch has been documented as of the provided information. Until a patch is available, users should consider implementing input validation to ensure that received SecurityAccess requests have a minimum length of two bytes before processing. Additionally, monitoring for anomalous single-byte 0x27 requests and restricting access to the UDS server interface where possible may reduce exposure. Follow vendor advisories for updates and apply official fixes once released.