Automotive ECUs and industrial controllers running the affected library can be remotely crashed by any attacker with access to the diagnostic transport channel, causing vehicle subsystem outages or industrial equipment shutdowns without warning. The out-of-bounds read can expose firmware internals, cryptographic seed values, or other in-memory data processed during diagnostic sessions, creating confidentiality risk for proprietary systems. Organizations shipping products with this library face recall-level remediation complexity, potential regulatory scrutiny under automotive safety and product liability frameworks, and reputational exposure if exploitation in a deployed product is publicly disclosed.
You Are Affected If
Your firmware or embedded product includes driftregion iso14229 version 0.9.0 or earlier as a UDS server implementation
Devices are reachable over DoIP (UDP/TCP 13400), OBD-II diagnostic ports, ISO-TP over CAN, or any CAN bus with diagnostic session access
The UDS SecurityAccess service (0x27) is enabled and reachable in the default diagnostic session without prior authentication
No SBOM-based inventory process is in place to identify third-party C library usage in firmware builds
Patched firmware has not yet been built and deployed to production ECUs or device fleets
Board Talking Points
A publicly disclosed flaw in a widely used automotive diagnostic library allows attackers to crash or read memory from ECUs and industrial controllers with no login required.
Engineering and product security teams should audit all firmware builds for this library within 5 business days and deploy patched firmware on an expedited schedule.
Without remediation, any party with physical or network access to an affected device's diagnostic port can trigger a crash or extract sensitive firmware data, creating product liability and safety exposure.
UN R155 / WP.29 — Automotive cybersecurity regulation directly applicable to ECUs; a remotely exploitable crash in a diagnostic handler may constitute a reportable cybersecurity incident under vehicle type-approval obligations
IEC 62443 — Industrial automation and control system security standard applies to industrial controllers shipping this library; unauthenticated remote crash meets the threshold for risk re-assessment under IEC 62443-3-3
