CVE-2022-35926

Name of the Vulnerable Software and Affected Versions Contiki-NG versions prior to 4.8

Description The issue is related to insufficient validation of IPv6 neighbor discovery options, allowing attackers to send neighbor solicitation packets that trigger an out-of-bounds read. This problem exists in the module os/net/ipv6/uip-nd6.c, specifically with memory read operations from the main packet buffer, uip buf, which are not checked for out-of-bounds access. The attack can occur when reading the 2-byte option header and the Source Link-Layer Address Option (SLLAO), and it requires IPv6 to be enabled for the network.

Recommendations For versions prior to 4.8, upgrade to version 4.8 or later, which includes the patch for this issue. As a temporary workaround, users unable to upgrade may apply the patch in Contiki-NG PR #1654.