CVE-2024-41126: Out-of-bounds read when decoding SNMP messages in Contiki-NG
Contiki-NG is an open-source, cross-platform operating system for IoT devices. An out-of-bounds read of 1 byte can be triggered when sending a packet to a device running the Contiki-NG operating system with SNMP enabled. The SNMP module is disabled in the default Contiki-NG configuration. The vulnerability exists in the os/net/app-layer/snmp/snmp-message.c module, where the snmp_message_decode function fails to check the boundary of the message buffer when reading a byte from it immediately after decoding an object identifier (OID). The problem has been patched in Contiki-NG pull request 2937. It will be included in the next release of Contiki-NG. Users are advised to either apply the patch manually or to wait for the next release. A workaround is to disable the SNMP module in the Contiki-NG build configuration.
Affected Software
Event History
Frequently Asked Questions
What is the severity of CVE-2024-41126?
CVE-2024-41126 is classified as a medium severity vulnerability due to the potential for out-of-bounds reads.
How do I fix CVE-2024-41126?
To mitigate CVE-2024-41126, disable the SNMP module in the Contiki-NG configuration if it is not required.
What systems are affected by CVE-2024-41126?
CVE-2024-41126 affects devices that run the Contiki-NG operating system with SNMP enabled.
What type of vulnerability is CVE-2024-41126?
CVE-2024-41126 is an out-of-bounds read vulnerability that can be triggered when sending packets to affected IoT devices.
Can CVE-2024-41126 be exploited remotely?
Yes, CVE-2024-41126 can be exploited remotely if the SNMP module is enabled on the device.