CVE-2023-24820

HIGH

RIOT-OS <2022.10 - DoS

Title source: llm

Description

RIOT-OS, an operating system that supports Internet of Things devices, contains a network stack with the ability to process 6LoWPAN frames. An attacker can send a crafted frame to the device resulting in a large out of bounds write beyond the packet buffer. The write will create a hard fault exception after reaching the last page of RAM. The hard fault is not handled and the system will be stuck until reset. Thus the impact is denial of service. Version 2022.10 fixes this issue. As a workaround, apply the patch manually.

References (3)

[Vendor Advisory] https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-vpx8-h94p-9vrj

[Patch] https://github.com/RIOT-OS/RIOT/pull/18817/commits/2709fbd827b688fe62df2c77c316914f4a3a6d4a

[Patch] https://github.com/RIOT-OS/RIOT/pull/18820/commits/d052e2ee166e55bbdfe4c455e65dbd7e3479ebe3

Scores

CVSS v3 7.5

EPSS 0.0056

EPSS Percentile 68.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-191 CWE-787

Status published

Products (1)

riot-os/riot < 2022.10

Published Apr 24, 2023

Tracked Since Feb 18, 2026