CVE-2023-24823

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions RIOT-OS versions prior to 2022.10

Description The issue arises from a type confusion between IPv6 extension headers and a UDP header while encoding a 6LoWPAN IPHC header in the network stack. This type confusion results in an out of bounds write in the packet buffer, potentially leading to denial of service by corrupting other packets and the allocator metadata. Furthermore, an attacker can manipulate the allocator metadata to write data to arbitrary locations, thus enabling the execution of arbitrary code.

Recommendations For versions prior to 2022.10, update to version 2022.10 to resolve the issue. As a temporary workaround for versions prior to 2022.10, apply the patches manually.

Exploit

Fix

Type Confusion

Memory Corruption

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-843CWE-787

Related Identifiers

CVE-2023-24823

GHSA-JWMV-47P2-HGQ2

Affected Products

Riot-Os

CVE-2023-24823

Weakness Enumeration

Related Identifiers

Affected Products

References · 8