Login Sign Up

CVE-2021-21280

8.6 HIGH

📋 TL;DR

This vulnerability allows attackers to cause an out-of-bounds write in Contiki-NG IoT operating system when processing 6LoWPAN packets with extension header chains. This could lead to memory corruption, potential remote code execution, or denial of service. It affects all Contiki-NG versions prior to 4.6 running on IoT devices.

💻 Affected Systems

Products:
  • Contiki-NG
Versions: All versions prior to 4.6
Operating Systems: Contiki-NG OS
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems using 6LoWPAN networking with extension headers enabled.

📦 What is this software?

Contiki Ng by Contiki Ng

View all CVEs affecting Contiki Ng →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, data exfiltration, or device becoming part of a botnet.

🟠

Likely Case

Denial of service causing device crashes or instability, potentially disrupting IoT network operations.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, potentially only causing isolated device failures.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires sending specially crafted 6LoWPAN packets to vulnerable devices.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.6

Vendor Advisory: https://github.com/contiki-ng/contiki-ng/security/advisories/GHSA-r768-hrhf-v592

Restart Required: Yes

Instructions:

1. Update Contiki-NG to version 4.6 or later. 2. Recompile and redeploy firmware to affected IoT devices. 3. Restart devices to apply the updated firmware.

🔧 Temporary Workarounds

Apply GitHub patch manually

all

Apply the specific patch from GitHub pull request #1409 to older Contiki-NG versions

git apply https://github.com/contiki-ng/contiki-ng/pull/1409.patch

🧯 If You Can't Patch

  • Implement network segmentation to isolate vulnerable IoT devices from untrusted networks
  • Deploy network monitoring to detect and block malicious 6LoWPAN packets with unusual extension header chains

🔍 How to Verify

Check if Vulnerable:

Check Contiki-NG version on device - if version is less than 4.6 and uses 6LoWPAN, it is vulnerable.

Check Version:

Check firmware version or compile-time version constants in Contiki-NG source code

Verify Fix Applied:

Verify Contiki-NG version is 4.6 or higher after update and test with 6LoWPAN packet fuzzing tools.

📡 Detection & Monitoring

Log Indicators:

  • Device crashes or reboots
  • Memory corruption errors in system logs
  • Unusual 6LoWPAN packet processing failures

Network Indicators:

  • Unusually long 6LoWPAN extension header chains
  • Malformed 6LoWPAN packets targeting IoT devices

SIEM Query:

source="iot-device" AND (event="crash" OR event="reboot") AND version<"4.6"

📊 Metadata

CVE ID: CVE-2021-21280
CVSS v3 Score: 8.6 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
CWE: CWE-787
Published: June 18, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-21280, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)