CVE-2025-32058

9.3 CRITICAL
Published: February 15, 2026 Modified: February 18, 2026
View on NVD

Description

The Infotainment ECU manufactured by Bosch uses a RH850 module for CAN communication. RH850 is connected to infotainment over the INC interface through a custom protocol. There is a vulnerability during processing requests of this protocol on the V850 side which allows an attacker with code execution on the infotainment main SoC to perform code execution on the RH850 module and subsequently send arbitrary CAN messages over the connected CAN bus. First identified on Nissan Leaf ZE1 manufactured in 2020.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
http://i.blackhat.com/Asia-25/Asia-25-Evdokimov-Remote-Exploitation-of-Nissan-Leaf.pdf
Source: cve@asrg.io
https://pcacybersecurity.com/resources/advisory/vulnerabilities-in-nissan-infotainment-manufactured-by-bosch
Source: cve@asrg.io
https://www.nissan.co.uk/vehicles/new-vehicles/leaf.html
Source: cve@asrg.io

3 reference(s) from NVD

Quick Stats

CVSS v3 Score
9.3 / 10.0
EPSS (Exploit Probability)
0.0%
2th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-121

Related CVEs

CVE-2026-4497 7.3
CVE-2026-4496 5.3
CVE-2026-33010 8.1
CVE-2026-32710 8.5
CVE-2026-32318 7.6