CVE-2024-41126
contiki-ng vulnerability - contiki-ng
Description
Contiki-NG is an open-source, cross-platform operating system for IoT devices. An out-of-bounds read of 1 byte can be triggered when sending a packet to a device running the Contiki-NG operating system with SNMP enabled. The SNMP module is disabled in the default Contiki-NG configuration. The vulnerability exists in the os/net/app-layer/snmp/snmp-message.c module, where the snmp_message_decode function fails to check the boundary of the message buffer when reading a byte from it immediately after decoding an object identifier (OID). The problem has been patched in Contiki-NG pull request 2937. It will be included in the next release of Contiki-NG. Users are advised to either apply the patch manually or to wait for the next release. A workaround is to disable the SNMP module in the Contiki-NG build configuration.
Affected Systems
| Vendor | contiki-ng |
| Product | contiki-ng |
| Affected Versions | through 4.9 |
| CWE ID | CWE-125 |
Mitigation
Apply the latest security patches from the vendor, restrict network exposure where applicable, and monitor for exploitation attempts.
Fix Instructions
Refer to the vendor advisory and apply the latest security updates. See references for detailed patching instructions.
References
Risk Assessment
CVSS: 8.3/10
| Exploit Available | Unknown |
| Patch Available | Yes |
Need Help Patching?
Our security team can help assess and remediate this vulnerability in your environment.
Get HelpRelated Vulnerabilities
Stay Ahead of Threats
Subscribe to our vulnerability feed and get instant alerts when new CVEs affect your systems.
Start Monitoring