CVE-2024-52802

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-52802
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-52802.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-52802
Aliases
  • GHSA-xgv3-pcq6-qmrg
Published
2024-11-22T15:41:29.609Z
Modified
2025-12-01T17:52:46.268360Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
RIOT-OS missing dhcpv6_opt_t minimum header length check
Details

RIOT is an operating system for internet of things (IoT) devices. In version 2024.04 and prior, the function _parse_advertise, located in /sys/net/application_layer/dhcpv6/client.c, has no minimum header length check for dhcpv6_opt_t after processing dhcpv6_msg_t. This omission could lead to an out-of-bound read, causing system inconsistency. Additionally, the same lack of a header length check is present in the function _preparse_advertise, which is called by _parse_advertise before handling the request. As of time of publication, no known patched version exists.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-125",
        "CWE-20"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/52xxx/CVE-2024-52802.json"
}
References

Affected packages

Git / github.com/riot-os/riot

Affected ranges

Type
GIT
Repo
https://github.com/riot-os/riot
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
7bec6cb0b125af6ca99f0d850f6069436b1cedc8
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "2024.04"
        }
    ]
}

Affected versions

2013.*

2013.08

2014.*

2014.01
2014.05
2014.12

2015.*

2015.09-RC1
2015.12-RC1
2015.12-devel

2016.*

2016.03-devel
2016.04-RC1
2016.07-RC1
2016.07-RC2
2016.07-devel
2016.10-RC1
2016.10-devel

2017.*

2017.01-RC1
2017.01-devel
2017.04-RC1
2017.04-devel
2017.07-RC1
2017.07-devel
2017.10-RC1
2017.10-devel

2018.*

2018.01-RC1
2018.01-devel
2018.04-RC1
2018.04-devel
2018.07-RC1
2018.07-devel
2018.10-RC1
2018.10-devel

2019.*

2019.01-RC1
2019.01-devel
2019.04-RC1
2019.04-devel
2019.07-RC1
2019.07-devel
2019.10-RC1
2019.10-devel

2020.*

2020.01-RC1
2020.01-devel
2020.04-RC1
2020.04-devel
2020.07-RC1
2020.07-devel
2020.10-RC1
2020.10-devel

2021.*

2021.01-RC1
2021.01-devel
2021.04-RC1
2021.04-devel
2021.07-RC1
2021.07-devel
2021.10-RC1
2021.10-devel

2022.*

2022.01-RC1
2022.01-devel
2022.04-RC1
2022.04-devel
2022.07-RC1
2022.07-devel
2022.10-RC1
2022.10-devel

2023.*

2023.01-RC1
2023.01-devel
2023.04-RC1
2023.04-devel
2023.07-RC1
2023.07-devel
2023.10-RC1
2023.10-devel

2024.*

2024.01-RC1
2024.01-devel
2024.04-devel