Off-by-One Buffer Overflow in CANBoat Allows Remote Denial of Service
CVE-2026-56790

7HIGH

Key Information:

Vendor: Canboat
Status: Canboat
Vendor: CVE Published:; 25 June 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-56790?

The CANBoat application prior to version 6.22 is susceptible to an off-by-one global buffer overflow vulnerability within the searchForPgn() function, located in analyzer/pgn.c. This flaw may be exploited by remote attackers who deliver specially crafted NMEA-2000 messages containing out-of-range PGN values over a CAN bus or N2K-over-IP connection. Successful exploitation can lead to an out-of-bounds array access, causing the application to crash and resulting in a denial of service.

Affected Version(s)

canboat 0 <= 6.22

canboat a5a22b74b9ac5688019cba62669df08562cebd6f

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-56790 - Proof of Concept

References

https://github.com/canboat/canboat/issues/644

technical-descriptionexploit

https://github.com/canboat/canboat/pull/649

issue-tracking

https://github.com/canboat/canboat/commit/a5a22b74b9ac568...

patch

CVSS V4

Score:

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jun 25, 2026
👾
Exploit known to exist
Jun 25, 2026
Vulnerability published
Jun 25, 2026
Vulnerability Reserved
Jun 23, 2026

Credit

FuzzingLabs

CVE-2026-56790 Data

JSON

Canboat