Integer Underflow (Wrap or Wraparound) Affecting riot-os/riot package, versions [,2022.10)


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.16% (54th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-UNMANAGED-RIOTOSRIOT-5490043
  • published1 May 2023
  • disclosed1 May 2023
  • creditDiff-fusion

Introduced: 1 May 2023

CVE-2023-24821  (opens in a new tab)
CWE-191  (opens in a new tab)

How to fix?

Upgrade riot-os/riot to version 2022.10 or higher.

Overview

Affected versions of this package are vulnerable to Integer Underflow (Wrap or Wraparound) triggered by a large out of bounds write beyond the packet buffer, when processing a malicious frame. The write will create a hard fault exception after reaching the last page of RAM. The hard fault is not handled and the system will be stuck until reset.

Workaround

This vulnerability can be avoided by disabling support for fragmented IP datagrams.

CVSS Scores

version 3.1