Contiki Ng
CVE-2021-21280
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
Contiki-NG is an open-source, cross-platform operating system for internet of things devices. It is possible to cause an out-of-bounds write in versions of Contiki-NG prior to 4.6 when transmitting a 6LoWPAN packet with a chain of extension headers. Unfortunately, the written header is not checked to be within the available space, thereby making it possible to write outside the buffer. The problem has been patched in Contiki-NG 4.6. Users can apply the patch for this vulnerability out-of-band as a workaround.
AnalysisAI
Contiki-NG is an open-source, cross-platform operating system for internet of things devices. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Technical ContextAI
This vulnerability is classified as Out-of-bounds Write (CWE-787), which allows attackers to write data beyond allocated buffer boundaries leading to code execution or crashes. Contiki-NG is an open-source, cross-platform operating system for internet of things devices. It is possible to cause an out-of-bounds write in versions of Contiki-NG prior to 4.6 when transmitting a 6LoWPAN packet with a chain of extension headers. Unfortunately, the written header is not checked to be within the available space, thereby making it possible to write outside the buffer. The problem has been patched in Contiki-NG 4.6. Users can apply the patch for this vulnerability out-of-band as a workaround. Affected products include: Contiki-Ng. Version information: prior to 4.6.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Validate write boundaries, use memory-safe languages, enable compiler protections (ASLR, stack canaries).
More in Contiki Ng
View allAn issue was discovered in the MQTT server in Contiki-NG before 4.2. Rated critical severity (CVSS 10.0), this vulnerabi
Buffer overflows were discovered in Contiki-NG 4.4 through 4.5, in the SNMP bulk get request response encoding function.
Buffer overflows were discovered in Contiki-NG 4.4 through 4.5, in the SNMP agent. Rated critical severity (CVSS 9.8), t
contiki-ng version 4 contains a Buffer Overflow vulnerability in AQL (Antelope Query Language) database engine that can
Memory access out of buffer boundaries issues was discovered in Contiki-NG 4.4 through 4.5, in the SNMP BER encoder/deco
The Contiki-NG operating system versions 4.8 and prior can be triggered to dereference a NULL pointer in the message han
Contiki-NG is an open-source, cross-platform operating system for internet of things (IoT) devices. Rated critical sever
Contiki-NG is an open-source, cross-platform operating system for IoT devices. Rated critical severity (CVSS 9.8), this
Contiki-NG is an open-source, cross-platform operating system for internet of things devices. Rated critical severity (C
Contiki-NG is an open-source, cross-platform operating system for internet of things devices. Rated critical severity (C
An issue was discovered in Contiki through 3.0 and Contiki-NG through 4.5. Rated critical severity (CVSS 9.8), this vuln
Buffer overflows were discovered in Contiki-NG 4.4 through 4.5, in the SNMP agent. Rated critical severity (CVSS 9.8), t
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today