Martine Lenders

CVE-2023-24825 WRITEUP HIGH WRITEUP

RIOT-OS < 2023.04 - Denial of Service via Crafted 6LoWPAN Frame

RIOT-OS, an operating system for Internet of Things (IoT) devices, contains a network stack with the ability to process 6LoWPAN frames. Prior to version 2023.04, an attacker can send a crafted frame to the device to trigger a NULL pointer dereference leading to denial of service. This issue is fixed in version 2023.04. There are no known workarounds.

CVSS 7.5

View Code

CVE-2023-24825 WRITEUP HIGH WRITEUP

RIOT-OS < 2023.04 - Denial of Service via Crafted 6LoWPAN Frame

RIOT-OS, an operating system for Internet of Things (IoT) devices, contains a network stack with the ability to process 6LoWPAN frames. Prior to version 2023.04, an attacker can send a crafted frame to the device to trigger a NULL pointer dereference leading to denial of service. This issue is fixed in version 2023.04. There are no known workarounds.

CVSS 7.5

View Code

CVE-2023-24826 WRITEUP MEDIUM WRITEUP

RIOT-OS < 2023.04 - Denial of Service via Uninitialized Object in 6LoWPAN Frame Processing

RIOT-OS, an operating system for Internet of Things (IoT) devices, contains a network stack with the ability to process 6LoWPAN frames. Prior to version 2023.04, an attacker can send crafted frames to the device to trigger the usage of an uninitialized object leading to denial of service. This issue is fixed in version 2023.04. As a workaround, disable fragment forwarding or SFR.

CVSS 5.9

View Code

CVE-2023-33973 WRITEUP HIGH WRITEUP

RIOT-OS < 2023.01 - Denial of Service via NULL Pointer Dereference in 6LoWPAN Frame Processing

RIOT-OS, an operating system for Internet of Things (IoT) devices, contains a network stack with the ability to process 6LoWPAN frames. In versions 2023.01 and prior, an attacker can send a crafted frame which is forwarded by the device. During encoding of the packet a NULL pointer dereference occurs. This crashes the device leading to denial of service. A patch is available at pull request 19678. There are no known workarounds.

CVSS 7.5

View Code

CVE-2023-33974 WRITEUP HIGH WRITEUP

RIOT-OS < 2023.01 - Denial of Service via 6LoWPAN Frame Race Condition

RIOT-OS, an operating system for Internet of Things (IoT) devices, contains a network stack with the ability to process 6LoWPAN frames. In versions 2023.01 and prior, an attacker can send multiple crafted frames to the device to trigger a race condition. The race condition invalidates assumptions about the program state and leads to an invalid memory access resulting in denial of service. This issue is patched in pull request 19679. There are no known workarounds.

CVSS 7.5

View Code

CVE-2023-24817 WRITEUP HIGH WRITEUP

RIOT-OS <2023.04 - Memory Corruption

RIOT-OS, an operating system for Internet of Things (IoT) devices, contains a network stack with the ability to process 6LoWPAN frames. Prior to version 2023.04, an attacker can send a crafted frame to the device resulting in an integer underflow and out of bounds access in the packet buffer. Triggering the access at the right time will corrupt other packets or the allocator metadata. Corrupting a pointer will lead to denial of service. This issue is fixed in version 2023.04. As a workaround, disable SRH in the network stack.

CVSS 7.5

View Code

CVE-2023-24825 WRITEUP HIGH WRITEUP

RIOT-OS < 2023.04 - Denial of Service via Crafted 6LoWPAN Frame

RIOT-OS, an operating system for Internet of Things (IoT) devices, contains a network stack with the ability to process 6LoWPAN frames. Prior to version 2023.04, an attacker can send a crafted frame to the device to trigger a NULL pointer dereference leading to denial of service. This issue is fixed in version 2023.04. There are no known workarounds.

CVSS 7.5

View Code

CVE-2023-24826 WRITEUP MEDIUM WRITEUP

RIOT-OS < 2023.04 - Denial of Service via Uninitialized Object in 6LoWPAN Frame Processing

RIOT-OS, an operating system for Internet of Things (IoT) devices, contains a network stack with the ability to process 6LoWPAN frames. Prior to version 2023.04, an attacker can send crafted frames to the device to trigger the usage of an uninitialized object leading to denial of service. This issue is fixed in version 2023.04. As a workaround, disable fragment forwarding or SFR.

CVSS 5.9

View Code

CVE-2023-33973 WRITEUP HIGH WRITEUP

RIOT-OS < 2023.01 - Denial of Service via NULL Pointer Dereference in 6LoWPAN Frame Processing

RIOT-OS, an operating system for Internet of Things (IoT) devices, contains a network stack with the ability to process 6LoWPAN frames. In versions 2023.01 and prior, an attacker can send a crafted frame which is forwarded by the device. During encoding of the packet a NULL pointer dereference occurs. This crashes the device leading to denial of service. A patch is available at pull request 19678. There are no known workarounds.

CVSS 7.5

View Code

CVE-2023-33974 WRITEUP HIGH WRITEUP

RIOT-OS < 2023.01 - Denial of Service via 6LoWPAN Frame Race Condition

RIOT-OS, an operating system for Internet of Things (IoT) devices, contains a network stack with the ability to process 6LoWPAN frames. In versions 2023.01 and prior, an attacker can send multiple crafted frames to the device to trigger a race condition. The race condition invalidates assumptions about the program state and leads to an invalid memory access resulting in denial of service. This issue is patched in pull request 19679. There are no known workarounds.

CVSS 7.5

View Code

CVE-2023-33975 WRITEUP CRITICAL WRITEUP

RIOT-OS < 2023.01 - Out-of-Bounds Write via 6LoWPAN Frame Processing

RIOT-OS, an operating system for Internet of Things (IoT) devices, contains a network stack with the ability to process 6LoWPAN frames. In version 2023.01 and prior, an attacker can send a crafted frame to the device resulting in an out of bounds write in the packet buffer. The overflow can be used to corrupt other packets and the allocator metadata. Corrupting a pointer will easily lead to denial of service. While carefully manipulating the allocator metadata gives an attacker the possibility to write data to arbitrary locations and thus execute arbitrary code. This issue is fixed in pull request 19680. As a workaround, disable support for fragmented IP datagrams.

CVSS 9.8

View Code

CVE-2024-32017 WRITEUP CRITICAL WRITEUP

RIOT < 2024.01 - Buffer Overflow in gcoap_dns_server_proxy_get and _gcoap_forward_proxy_copy_options

RIOT is a real-time multi-threading operating system that supports a range of devices that are typically 8-bit, 16-bit and 32-bit microcontrollers. The size check in the `gcoap_dns_server_proxy_get()` function contains a small typo that may lead to a buffer overflow in the subsequent `strcpy()`. In detail, the length of the `_uri` string is checked instead of the length of the `_proxy` string. The `_gcoap_forward_proxy_copy_options()` function does not implement an explicit size check before copying data to the `cep->req_etag` buffer that is `COAP_ETAG_LENGTH_MAX` bytes long. If an attacker can craft input so that `optlen` becomes larger than `COAP_ETAG_LENGTH_MAX`, they can cause a buffer overflow. If the input above is attacker-controlled and crosses a security boundary, the impact of the buffer overflow vulnerabilities could range from denial of service to arbitrary code execution. This issue has yet to be patched. Users are advised to add manual bounds checking.

CVSS 9.8

View Code

CVE-2025-66646 WRITEUP HIGH WRITEUP

RIOT OS < 2025.10 - Denial of Service via IPv6 Fragmentation Reassembly NULL Pointer Dereference

RIOT is an open-source microcontroller operating system, designed to match the requirements of Internet of Things (IoT) devices and other embedded devices. A vulnerability was discovered in the IPv6 fragmentation reassembly implementation of RIOT OS v2025.07. When receiving an fragmented IPv6 packet with fragment offset 0 and an empty payload, the payload pointer is set to NULL. However, the implementation still tries to copy the payload into the reassembly buffer, resulting in a NULL pointer dereference which crashes the OS (DoS). To trigger the vulnerability, the `gnrc_ipv6_ext_frag` module must be enabled and the attacker must be able to send arbitrary IPv6 packets to the victim. RIOT OS v2025.10 fixes the issue.

CVSS 7.5

View Code

CVE-2025-66647 WRITEUP CRITICAL WRITEUP

RIOT OS < 2025.10 - Buffer Overflow in IPv6 Fragmentation Reassembly

RIOT is an open-source microcontroller operating system, designed to match the requirements of Internet of Things (IoT) devices and other embedded devices. A vulnerability was discovered in the IPv6 fragmentation reassembly implementation of RIOT OS v2025.07. When copying the contents of the first fragment (offset=0) into the reassembly buffer, no size check is performed. It is possible to force the creation of a small reassembly buffer by first sending a shorter fragment (also with offset=0). Overflowing the reassembly buffer corrupts the state of other packet buffers which an attacker might be able to used to achieve further memory corruption (potentially resulting in remote code execution). To trigger the vulnerability, the `gnrc_ipv6_ext_frag` module must be included and the attacker must be able to send arbitrary IPv6 packets to the victim. Version 2025.10 fixes the issue.

CVSS 9.8

View Code