CVE-2023-24821

RIOT-OS vulnerable to Integer Underflow during defragmentation

Description

RIOT-OS, an operating system that supports Internet of Things devices, contains a network stack with the ability to process 6LoWPAN frames. Prior to version 2022.10, an attacker can send a crafted frame to the device resulting in a large out of bounds write beyond the packet buffer. The write will create a hard fault exception after reaching the last page of RAM. The hard fault is not handled and the system will be stuck until reset, thus the impact is denial of service. Version 2022.10 fixes this issue. As a workaround, disable support for fragmented IP datagrams or apply the patches manually.

Category

7.5
CVSS
Severity: High
CVSS 3.1 •
EPSS 0.18%
Vendor Advisory github.com
Affected: RIOT-OS RIOT
Published at:
Updated at:

References

Link Tags
https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-2fpr-82xr-p887 patch vendor advisory
https://github.com/RIOT-OS/RIOT/pull/18817/commits/9728f727e75d7d78dbfb5918e0de1b938b7b6d2c patch
https://github.com/RIOT-OS/RIOT/pull/18820/commits/bd31010231f5340e21410595dd95afc86bbfd341 patch

Frequently Asked Questions

What is the severity of CVE-2023-24821?
CVE-2023-24821 has been scored as a high severity vulnerability.
How to fix CVE-2023-24821?
To fix CVE-2023-24821, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-24821 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2023-24821 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-24821?
CVE-2023-24821 affects RIOT-OS RIOT.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.