First published: Wed Mar 24 2021(Updated: )
An issue was discovered in Contiki through 3.0. When sending an ICMPv6 error message because of invalid extension header options in an incoming IPv6 packet, there is an attempt to remove the RPL extension headers. Because the packet length and the extension header length are unchecked (with respect to the available data) at this stage, and these variables are susceptible to integer underflow, it is possible to construct an invalid extension header that will cause memory corruption issues and lead to a Denial-of-Service condition. This is related to rpl-ext-header.c.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Contiki-os Contiki | <=3.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-28362 is a vulnerability discovered in Contiki version 3.0 and below that allows for an unchecked attempt to remove RPL extension headers when sending an ICMPv6 error message due to invalid extension header options in an incoming IPv6 packet.
CVE-2021-28362 has a severity rating of 7.5 out of 10 (high).
Contiki OS versions up to and including 3.0 are affected by CVE-2021-28362.
To fix CVE-2021-28362, it is recommended to update Contiki OS to a version higher than 3.0.
More information about CVE-2021-28362 can be found in the Contiki OS GitHub releases page and the CERT vulnerability database.