CVE-2023-24826

MEDIUM

RIOT-OS <2023.04 - DoS

Title source: llm

Description

RIOT-OS, an operating system for Internet of Things (IoT) devices, contains a network stack with the ability to process 6LoWPAN frames. Prior to version 2023.04, an attacker can send crafted frames to the device to trigger the usage of an uninitialized object leading to denial of service. This issue is fixed in version 2023.04. As a workaround, disable fragment forwarding or SFR.

References (4)

[Vendor Advisory] https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-xfj4-9g7w-f4gh

[Patch] https://github.com/RIOT-OS/RIOT/commit/287f030af20e829469cdf740606148018a5a220d

[Product] https://github.com/RIOT-OS/RIOT/blob/ccbb304eae7b59e8aca24a6ffd095b5b3f7720ee/sys/net/gnrc/network_layer/sixlowpan/frag/sfr/gnrc_sixlowpan_frag_sfr.c#L402

View Writeup ZIP pw:eip

[Product] https://github.com/RIOT-OS/RIOT/blob/ccbb304eae7b59e8aca24a6ffd095b5b3f7720ee/sys/net/gnrc/network_layer/sixlowpan/frag/sfr/gnrc_sixlowpan_frag_sfr.c#L420

Scores

CVSS v3 5.9

EPSS 0.0027

EPSS Percentile 50.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-824

Status published

Products (1)

riot-os/riot < 2023.04

Published May 30, 2023

Tracked Since Feb 18, 2026