RIOT-OS vulnerable to Buffer Overflow during IPHC receive
CVE-2023-24819

9.8CRITICAL

Key Information:

Vendor: Riot-os
Status: Riot
Vendor: CVE Published:; 24 April 2023

What is CVE-2023-24819?

The network stack of RIOT-OS, designed for Internet of Things devices, is susceptible to a serious vulnerability that allows an attacker to send a specifically crafted 6LoWPAN frame. This can lead to an out of bounds write within the packet buffer, potentially corrupting additional packets and allocator metadata. By manipulating the allocator data, an attacker might execute arbitrary code or trigger a denial of service. To mitigate this risk, upgrade to version 2022.10 or disable support for fragmented IP datagrams manually.

Affected Version(s)

RIOT < 2022.10

References

https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-...

x_refsource_CONFIRM

https://github.com/RIOT-OS/RIOT/pull/18817/commits/736151...

x_refsource_MISC

https://github.com/RIOT-OS/RIOT/pull/18820/commits/da63e4...

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 24, 2023
Vulnerability Reserved
Jan 30, 2023

Riot-os

What is CVE-2023-24819?

Affected Version(s)

References

CVSS V3.1

Timeline