CVE-2022-35927

Name of the Vulnerable Software and Affected Versions Contiki-NG versions prior to 4.7

Description The issue is related to the RPL-Classic routing protocol implementation in the Contiki-NG operating system. Specifically, an incoming DODAG Information Option (DIO) control message can contain a prefix information option with a length parameter that is not validated. This can cause a buffer overflow when copying the prefix in the set ip from prefix function. The estimated number of potentially affected devices is not provided, and there is no information about real-world incidents where this issue was exploited.

Recommendations To resolve the issue, users should upgrade to Contiki-NG 4.7 or later. As a temporary workaround, consider restricting the reception of RPL DIO messages from external parties until a patched version is installed. There are no other workarounds for this issue.