Home > Vulnerability Database > CVE-2023-30546

Mend.io Vulnerability Database

CVE-2023-30546

Date: April 26, 2023

Contiki-NG is an operating system for Internet of Things devices. An off-by-one error can be triggered in the Antelope database management system in the Contiki-NG operating system in versions 4.8 and prior. The problem exists in the Contiki File System (CFS) backend for the storage of data (file os/storage/antelope/storage-cfs.c). In the functions `storage_get_index` and `storage_put_index`, a buffer for merging two strings is allocated with one byte less than the maximum size of the merged strings, causing subsequent function calls to the cfs_open function to read from memory beyond the buffer size. The vulnerability has been patched in the "develop" branch of Contiki-NG, and is expected to be included in the next release. As a workaround, the problem can be fixed by applying the patch in Contiki-NG pull request #2425.

Language: C

Severity Score

8.6

Related Resources (4)

Url: https://github.com/contiki-ng/contiki-ng/security/advisories/GHSA-257g-w39m-5jj4

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-30546

Url: https://github.com/contiki-ng/contiki-ng/pull/2425

Url: https://www.mend.io/vulnerability-database/CVE-2023-30546

Severity Score

8.6

Weakness Type (CWE)

Out-of-bounds Read

CWE-125

Off-by-one Error

CWE-193

CVSS v3.1

Base Score:	8.6
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-30546

Date: April 26, 2023

Language: C

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?