CVE-2023-24819

Name of the Vulnerable Software and Affected Versions RIOT-OS versions prior to 2022.10

Description The network stack in RIOT-OS, which supports Internet of Things devices, contains a flaw in its ability to process 6LoWPAN frames. An attacker can send a crafted frame to the device, resulting in an out of bounds write in the packet buffer. This overflow can corrupt other packets and the allocator metadata, leading to denial of service by corrupting a pointer. Furthermore, careful manipulation of the allocator metadata allows an attacker to write data to arbitrary locations, thus enabling the execution of arbitrary code.

Recommendations For versions prior to 2022.10, update to version 2022.10 to fix the issue. As a temporary workaround, consider disabling support for fragmented IP datagrams until the update is applied. Alternatively, apply the patches manually to resolve the issue.