Buffer Overflow Flaw in Nissan Infotainment System by Bosch
CVE-2025-32061

8.8HIGH

Key Information:

Vendor

Bosch
Status
Infotainment System Ecu
Vendor
CVE Published:
15 February 2026

What is CVE-2025-32061?

A significant flaw has been identified in the Bluetooth stack of the infotainment system developed by Bosch for the 2020 Nissan Leaf ZE1. This vulnerability arises due to improper boundary validation of user-provided data, permitting a stack-based buffer overflow when a specific packet is received over the established L2CAP channel. Exploiting this vulnerability allows an attacker to gain remote code execution on the Infotainment ECU with root privileges, posing potential risks to vehicle security and user safety.

Affected Version(s)

Infotainment system ECU Linux 283C30861E

References

https://www.nissan.co.uk/vehicles/new-vehicles/leaf.html
product
http://i.blackhat.com/Asia-25/Asia-25-Evdokimov-Remote-Ex...
media-coverage
https://pcacybersecurity.com/resources/advisory/vulnerabi...
third-party-advisory

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Mikhail Evdokimov (PCA Cyber Security Assessment Team)
.