CVE-2023-50926

CVSS 3.1 Score 7.5 of 10 (high)

Attack Complexity low
Availability high
Confidentiality none
Integrity none
Scope unchanged
Privileges Required none

Details

Published Feb 14, 2024
Updated: Jan 6, 2025
CWE ID 125

Summary

CVE-2023-50926 is a vulnerability affecting Contiki-NG, an open-source operating system for IoT devices. The issue arises from an incoming DIO message in the RPL-Lite implementation, which includes an unvalidated field specifying the length of an IPv6 address prefix. Malicious actors can exploit this by setting a value longer than the maximum prefix length, leading to an out-of-bounds read when the memcmp function is called. Contiki-NG users are advised to update to the latest release or manually apply the patch from pull request #2721 to mitigate this risk. The vulnerability has been fixed in the "develop" branch and is expected to be included in the next Contiki-NG release.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share