CVE-2020-17438

CRITICAL

uIP 1.0 - Out-of-bounds Write via IP Fragment Reassembly

Title source: llm
STIX 2.1

Description

An issue was discovered in uIP 1.0, as used in Contiki 3.0 and other products. The code that reassembles fragmented packets fails to properly validate the total length of an incoming packet specified in its IP header, as well as the fragmentation offset value specified in the IP header. By crafting a packet with specific values of the IP header length and the fragmentation offset, attackers can write into the .bss section of the program (past the statically allocated buffer that is used for storing the fragmented data) and cause a denial of service in uip_reass() in uip.c, or possibly execute arbitrary code on some target architectures.

References (2)

Core 2
Core References
Third Party Advisory, US Government Resource x_refsource_misc
https://www.kb.cert.org/vuls/id/815128
Third Party Advisory, US Government Resource x_refsource_misc
https://us-cert.cisa.gov/ics/advisories/icsa-20-343-01

Scores

CVSS v3 9.8
EPSS 0.1854
EPSS Percentile 96.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-787
Status published
Products (1)
uip_project/uip 1.0
Published Dec 11, 2020
Tracked Since Feb 18, 2026