Contiki-NG has off-by-one error in Antelope DBMS
CVE-2023-30546

9.8CRITICAL

Key Information:

Vendor: Contiki-ng
Status: Contiki-ng
Vendor: CVE Published:; 26 April 2023

What is CVE-2023-30546?

An off-by-one error exists in the Contiki-NG operating system, specifically affecting the Antelope database management system. This issue arises in the Contiki File System (CFS) backend and can lead to memory access violations. The error occurs when allocating a buffer for merging two strings, which has one byte less than the required size. This situation can trigger subsequent function calls to read beyond the allocated buffer, potentially leading to unauthorized memory access. A fix has been developed and is available in the 'develop' branch of Contiki-NG, with expectations for it to be included in the next release. Users are encouraged to apply the patch from pull request #2425 as an immediate mitigation.

Affected Version(s)

contiki-ng <= 4.8

References

https://github.com/contiki-ng/contiki-ng/security/advisor...

x_refsource_CONFIRM

https://github.com/contiki-ng/contiki-ng/pull/2425

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 26, 2023
Vulnerability Reserved
Apr 12, 2023

Contiki-ng

What is CVE-2023-30546?

Affected Version(s)

References

CVSS V3.1

Timeline