{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "0" }, { "fixed": "4.9" } ] }, "events": [ { "introduced": "0" }, { "fixed": "c20b12cd2db707d6c07918f8b26cfeb52cf298ca" } ], "repo": "https://github.com/contiki-ng/contiki-ng", "type": "GIT" } ] } ], "aliases": [ "GHSA-9423-rgj4-wjfw" ], "database_specific": { "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-125" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/50xxx/CVE-2023-50927.json" }, "details": "Contiki-NG is an open-source, cross-platform operating system for Next-Generation IoT devices. An attacker can trigger out-of-bounds reads in the RPL-Lite implementation of the RPL protocol in the Contiki-NG operating system. This vulnerability is caused by insufficient control of the lengths for DIO and DAO messages, in particular when they contain RPL sub-option headers. The problem has been patched in Contiki-NG 4.9. Users are advised to upgrade. Users unable to upgrade should manually apply the code changes in PR #2484.", "id": "CVE-2023-50927", "modified": "2026-04-01T23:09:33.932995230Z", "published": "2024-02-14T19:22:05.243Z", "references": [ { "type": "ADVISORY", "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/50xxx/CVE-2023-50927.json" }, { "type": "ADVISORY", "url": "https://github.com/contiki-ng/contiki-ng/security/advisories/GHSA-9423-rgj4-wjfw" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50927" }, { "type": "FIX", "url": "https://github.com/contiki-ng/contiki-ng/pull/2484" } ], "schema_version": "1.7.3", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "type": "CVSS_V3" } ], "summary": "Insufficient boundary checks for DIO and DAO messages in RPL-Lite in Contiki-NG" }