CVE-2021-21280
Last modified
CVE-2021-21280 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. Contiki-NG is an open-source, cross-platform operating system for internet of things devices. It is possible to cause an out-of-bounds write in versions of Contiki-NG prior to 4.6 when transmitting a 6LoWPAN packet with a chain of extension headers. EPSS estimates a 1.06% chance of exploitation in the next 30 days.
Description
Contiki-NG is an open-source, cross-platform operating system for internet of things devices. It is possible to cause an out-of-bounds write in versions of Contiki-NG prior to 4.6 when transmitting a 6LoWPAN packet with a chain of extension headers. Unfortunately, the written header is not checked to be within the available space, thereby making it possible to write outside the buffer. The problem has been patched in Contiki-NG 4.6. Users can apply the patch for this vulnerability out-of-band as a workaround.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Contiki-Ng | Contiki-Ng | < 4.6 |
References
- https://github.com/contiki-ng/contiki-ng/pull/1409Patch, Third Party Advisory
- https://github.com/contiki-ng/contiki-ng/security/advisories/GHSA-r768-hrhf-v592Exploit, Patch, Third Party Advisory
- https://github.com/contiki-ng/contiki-ng/pull/1409Patch, Third Party Advisory
- https://github.com/contiki-ng/contiki-ng/security/advisories/GHSA-r768-hrhf-v592Exploit, Patch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-21280?
How severe is CVE-2021-21280?
How do I fix CVE-2021-21280?
Are you affected by CVE-2021-21280?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST