Out-of-bounds read when decompressing UDP header
CVE-2022-36052

5.9MEDIUM

Key Information:

Vendor: Contiki-ng
Status: Contiki-ng
Vendor: CVE Published:; 1 September 2022

What is CVE-2022-36052?

Contiki-NG is an open-source, cross-platform operating system for Next-Generation IoT devices. The 6LoWPAN implementation in Contiki-NG may cast a UDP header structure at a certain offset in a packet buffer. The code does not check whether the packet buffer is large enough to fit a full UDP header structure from the offset where the casting is made. Hence, it is possible to cause an out-of-bounds read beyond the packet buffer. The problem affects anyone running devices with Contiki-NG versions previous to 4.8, and which may receive 6LoWPAN packets from external parties. The problem has been patched in Contiki-NG version 4.8.

Affected Version(s)

contiki-ng < 4.8

References

https://github.com/contiki-ng/contiki-ng/pull/1648

x_refsource_MISC

https://github.com/contiki-ng/contiki-ng/security/advisor...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 1, 2022
Vulnerability Reserved
Jul 15, 2022

Contiki-ng

What is CVE-2022-36052?

Affected Version(s)

References

CVSS V3.1

Timeline