First published: Thu Sep 01 2022(Updated: )
Contiki-NG is an open-source, cross-platform operating system for Next-Generation IoT devices. The 6LoWPAN implementation in Contiki-NG may cast a UDP header structure at a certain offset in a packet buffer. The code does not check whether the packet buffer is large enough to fit a full UDP header structure from the offset where the casting is made. Hence, it is possible to cause an out-of-bounds read beyond the packet buffer. The problem affects anyone running devices with Contiki-NG versions previous to 4.8, and which may receive 6LoWPAN packets from external parties. The problem has been patched in Contiki-NG version 4.8.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Contiki-ng Contiki-ng | <4.8 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-36052 is a vulnerability in the Contiki-NG operating system that allows an attacker to cast a UDP header structure at a certain offset in a packet buffer, without checking if the buffer is large enough to fit a full UDP header.
CVE-2022-36052 affects Contiki-NG versions up to but not including 4.8, which have a 6LoWPAN implementation that is vulnerable to casting a UDP header structure at a specific offset in a packet buffer.
CVE-2022-36052 has a severity rating of 8.8 (high) based on the Common Vulnerability Scoring System (CVSS).
To fix CVE-2022-36052, users of Contiki-NG should update to version 4.8 or later, which includes a patch to mitigate the vulnerability.
More information about CVE-2022-36052 can be found on the Contiki-NG GitHub page: [link].