CVE-2021-21410

Contiki-NG is an open-source, cross-platform operating system for Next-Generation IoT devices. An out-of-bounds read can be triggered by 6LoWPAN packets sent to devices running Contiki-NG 4.6 and prior. The IPv6 header decompression function (<code>uncompress_hdr_iphc</code>) does not perform proper boundary checks when reading from the packet buffer. Hence, it is possible to construct a compressed 6LoWPAN packet that will read more bytes than what is available from the packet buffer. As of time of publication, there is not a release with a patch available. Users can apply the patch for this vulnerability out-of-band as a workaround.
Configurations

Configuration 1 (hide)

cpe:2.3:o:contiki-ng:contiki-ng:*:*:*:*:*:*:*:*

History

24 Jun 2021, 19:27

Type Values Removed Values Added
CPE cpe:2.3:o:contiki-ng:contiki-ng:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : 6.4
v3 : 9.1
References (CONFIRM) https://github.com/contiki-ng/contiki-ng/security/advisories/GHSA-hhwj-2p59-v8p9 - (CONFIRM) https://github.com/contiki-ng/contiki-ng/security/advisories/GHSA-hhwj-2p59-v8p9 - Patch, Third Party Advisory
References (MISC) https://github.com/contiki-ng/contiki-ng/pull/1482 - (MISC) https://github.com/contiki-ng/contiki-ng/pull/1482 - Patch, Third Party Advisory

18 Jun 2021, 22:15

Type Values Removed Values Added
CWE CWE-125
Summary Contiki-NG is an open-source, cross-platform operating system for Next-Generation IoT devices. An out-of-bounds read can be triggered by 6LoWPAN packets sent to devices running Contiki-NG 4.6 and prior. The IPv6 header decompression function (<code>uncompress_hdr_iphc</code>) does not perform proper boundary checks when reading from the packet buffer. Hence, it is possible to construct a compressed 6LoWPAN packet that will read more bytes than what is available from the packet buffer. As of time of publication, there is not a release with a patch available. Users can apply the patch for this vulnerability out-of-band as a workaround. Contiki-NG is an open-source, cross-platform operating system for Next-Generation IoT devices. An out-of-bounds read can be triggered by 6LoWPAN packets sent to devices running Contiki-NG 4.6 and prior. The IPv6 header decompression function (<code>uncompress_hdr_iphc</code>) does not perform proper boundary checks when reading from the packet buffer. Hence, it is possible to construct a compressed 6LoWPAN packet that will read more bytes than what is available from the packet buffer. As of time of publication, there is not a release with a patch available. Users can apply the patch for this vulnerability out-of-band as a workaround.

18 Jun 2021, 21:15

Type Values Removed Values Added
New CVE

Information

Published : 2021-06-18 21:15

Updated : 2024-02-04 21:47


NVD link : CVE-2021-21410

Mitre link : CVE-2021-21410

CVE.ORG link : CVE-2021-21410


JSON object : View

Products Affected

contiki-ng

  • contiki-ng
CWE
CWE-125

Out-of-bounds Read