Out-of-bounds reads in RPL-Lite implementation in Contiki-NG operating system
CVE-2023-50927

8.6HIGH

Key Information:

Vendor: Contiki-ng
Status: Contiki-ng
Vendor: CVE Published:; 14 February 2024

What is CVE-2023-50927?

The Contiki-NG operating system, designed for Next-Generation IoT devices, is vulnerable due to out-of-bounds read conditions stemming from inadequate management of message lengths in its RPL-Lite protocol implementation. Attackers can exploit this vulnerability by manipulating DIO and DAO messages, particularly with RPL sub-option headers. Users are recommended to upgrade to Contiki-NG 4.9 where this issue has been addressed. Users who are unable to upgrade should consider applying the changes from PR #2484 manually to mitigate risks.

Affected Version(s)

contiki-ng < 4.9

References

https://github.com/contiki-ng/contiki-ng/security/advisor...

x_refsource_CONFIRM

https://github.com/contiki-ng/contiki-ng/pull/2484

x_refsource_MISC

CVSS V3.1

Score:

8.6

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 14, 2024
Vulnerability Reserved
Dec 15, 2023

Contiki-ng

What is CVE-2023-50927?

Affected Version(s)

References

CVSS V3.1

Timeline