Vulnerability Description
Contiki-NG is an open-source, cross-platform operating system for Next-Generation IoT devices. An out-of-bounds read can be triggered by 6LoWPAN packets sent to devices running Contiki-NG 4.6 and prior. The IPv6 header decompression function (<code>uncompress_hdr_iphc</code>) does not perform proper boundary checks when reading from the packet buffer. Hence, it is possible to construct a compressed 6LoWPAN packet that will read more bytes than what is available from the packet buffer. As of time of publication, there is not a release with a patch available. Users can apply the patch for this vulnerability out-of-band as a workaround.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Contiki-Ng | Contiki-Ng | <= 4.6 |
Related Weaknesses (CWE)
References
- https://github.com/contiki-ng/contiki-ng/pull/1482PatchThird Party Advisory
- https://github.com/contiki-ng/contiki-ng/security/advisories/GHSA-hhwj-2p59-v8p9PatchThird Party Advisory
- https://github.com/contiki-ng/contiki-ng/pull/1482PatchThird Party Advisory
- https://github.com/contiki-ng/contiki-ng/security/advisories/GHSA-hhwj-2p59-v8p9PatchThird Party Advisory
FAQ
What is CVE-2021-21410?
CVE-2021-21410 is a vulnerability with a CVSS score of 8.2 (HIGH). Contiki-NG is an open-source, cross-platform operating system for Next-Generation IoT devices. An out-of-bounds read can be triggered by 6LoWPAN packets sent to devices running Contiki-NG 4.6 and prio...
How severe is CVE-2021-21410?
CVE-2021-21410 has been rated HIGH with a CVSS base score of 8.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-21410?
Check the references section above for vendor advisories and patch information. Affected products include: Contiki-Ng Contiki-Ng.