CVE-2026-49316

CVE-2026-49316 is a medium-severity vulnerability with a CVSS 3.x base score of 4.6. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-440.

Key facts

Description

Expected behavior violation in the in-vehicle network of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker to bypass the motorcycle's anti-theft shutdown by forcing the Wireless Control Module (WCM) into the CAN bus-off state. Using a well-known CAN error-frame injection technique against a periodic WCM transmission, the attacker drives the WCM CAN controller's transmit error counter past the bus-off threshold, after which the WCM stops transmitting all messages, including the shutdown command. Peer ECUs do not interpret WCM silence as a security event and continue normal operation, allowing the motorcycle to be operated despite the immobilizer never having been unlocked. Specific protocol details have been withheld pending vendor remediation.

Frequently asked questions

What is CVE-2026-49316?
Expected behavior violation in the in-vehicle network of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker to bypass the motorcycle's anti-theft shutdown by forcing the Wireless Control Module (WCM) into the CAN bus-off state. Using a well-known CAN error-frame injection technique against a periodic WCM transmission, the attacker drives the WCM CAN controller's transmit error counter past the bus-off threshold, after which the WCM stops transmitting all messages, including the shutdown command. Peer ECUs do not interpret WCM silence as a security event and continue normal operation, allowing the motorcycle to be operated despite the immobilizer never having been unlocked. Specific protocol details have been withheld pending vendor remediation.
How severe is CVE-2026-49316?
CVE-2026-49316 has a CVSS 3.x base score of 4.6, rated medium severity. It is exploitable over physical access with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity none, and availability high.
Is CVE-2026-49316 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (8th percentile), an estimate of the probability of exploitation in the next 30 days.
How do I fix CVE-2026-49316?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2026-49316 have an EU (EUVD) identifier?
Yes. CVE-2026-49316 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-33293.
When was CVE-2026-49316 published?
CVE-2026-49316 was published on 2026-05-29 and last updated on 2026-06-27.

References

Other CWE-440 vulnerabilities

Browse all CWE-440 vulnerabilities →