CVE-2026-49316
4.6 MEDIUMExpected behavior violation in the in-vehicle network of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-net...
Published: 2026-05-29 · Last updated: 2026-05-29
Severity and scoring
- CVSS
- 4.6 MEDIUM
- Vector
- CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- CWE
- CWE-440, CWE-693, CWE-754
Description
Expected behavior violation in the in-vehicle network of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker to bypass the motorcycle's anti-theft shutdown by forcing the Wireless Control Module (WCM) into the CAN bus-off state. Using a well-known CAN error-frame injection technique against a periodic WCM transmission, the attacker drives the WCM CAN controller's transmit error counter past the bus-off threshold, after which the WCM stops transmitting all messages, including the shutdown command. Peer ECUs do not interpret WCM silence as a security event and continue normal operation, allowing the motorcycle to be operated despite the immobilizer never having been unlocked. Specific protocol details have been withheld pending vendor remediation.
Source: NVD
References
Related CVEs
Same CWE
- CVE-2026-46541 — Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm (7.5 HIGH)
- CVE-2026-48575 — Protection mechanism failure in Windows Secure Boot allows an authorized attacker to bypass a security feature locally (7.9 HIGH)
- CVE-2026-48570 — Protection mechanism failure in Windows Secure Boot allows an authorized attacker to bypass a security feature locally (7.9 HIGH)
- CVE-2026-48568 — Protection mechanism failure in Windows Secure Boot allows an authorized attacker to bypass a security feature locally (7.9 HIGH)
- CVE-2026-47656 — Protection mechanism failure in Windows Boot Manager allows an authorized attacker to bypass a security feature locally (7.9 HIGH)