CVE-2021-28362

Published: Mar 24, 2021Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

An issue was discovered in Contiki through 3.0. When sending an ICMPv6 error message because of invalid extension header options in an incoming IPv6 packet, there is an attempt to remove the RPL extension headers. Because the packet length and the extension header length are unchecked (with respect to the available data) at this stage, and these variables are susceptible to integer underflow, it is possible to construct an invalid extension header that will cause memory corruption issues and lead to a Denial-of-Service condition. This is related to rpl-ext-header.c.

Affected (1)

Products: Contiki Os: Contiki

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Contiki Os Contiki	Up to 3.0

Related CWEs

Integer Underflow (Wrap or Wraparound)

The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.

References (4)

https://github.com/contiki-os/contiki/releases

Source: cve@mitre.org

Release NotesThird Party Advisory

https://www.kb.cert.org/vuls/id/815128

Source: cve@mitre.org

Third Party AdvisoryUS Government Resource

https://github.com/contiki-os/contiki/releases

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesThird Party Advisory

https://www.kb.cert.org/vuls/id/815128

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryUS Government Resource

Timeline

No history available yet.