CVE-2021-28362
HIGHContiki < 3.0 - Denial of Service via ICMPv6 Error Message with Invalid Extension Header
Title source: llmDescription
An issue was discovered in Contiki through 3.0. When sending an ICMPv6 error message because of invalid extension header options in an incoming IPv6 packet, there is an attempt to remove the RPL extension headers. Because the packet length and the extension header length are unchecked (with respect to the available data) at this stage, and these variables are susceptible to integer underflow, it is possible to construct an invalid extension header that will cause memory corruption issues and lead to a Denial-of-Service condition. This is related to rpl-ext-header.c.
References (2)
Core 2
Core References
Third Party Advisory, US Government Resource x_refsource_misc
https://www.kb.cert.org/vuls/id/815128
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/contiki-os/contiki/releases
Scores
CVSS v3
7.5
EPSS
0.0131
EPSS Percentile
66.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-191
Status
published
Products (1)
contiki-os/contiki
< 3.0
Published
Mar 24, 2021
Tracked Since
Feb 18, 2026