CVE-2022-36054 is a medium-severity vulnerability identified in Contiki-NG, an open-source operating system designed for next-generation Internet of Things (IoT) devices. The vulnerability exists in the 6LoWPAN protocol implementation within the Contiki-NG OS, specifically in the file os/net/ipv6/sicslowpan.c. The issue arises from a missing length check in the input function responsible for processing incoming 6LoWPAN packets and copying their contents into a packet buffer. This flaw allows an attacker to perform an out-of-bounds write when sending either an unfragmented 6LoWPAN packet or the first fragment of a fragmented packet that is sufficiently large. The out-of-bounds write occurs because the function copies data beyond the allocated buffer size, potentially corrupting adjacent memory. Exploitation requires the attacker to have the capability to send crafted 6LoWPAN packets to a device running a vulnerable version of Contiki-NG (versions prior to 4.8). This vulnerability could lead to memory corruption, which may result in unpredictable behavior including crashes, denial of service, or potentially arbitrary code execution depending on the device architecture and memory layout. However, no known exploits have been reported in the wild to date. Given the nature of the vulnerability, exploitation does not require authentication but does require network access to the vulnerable 6LoWPAN interface. The vulnerability affects a specialized subset of IoT devices that utilize Contiki-NG and 6LoWPAN for low-power wireless communication, commonly found in constrained environments such as sensor networks and industrial IoT deployments.

For European organizations deploying IoT devices based on Contiki-NG, especially in critical infrastructure sectors such as smart metering, industrial automation, and building management systems, this vulnerability poses a risk of device compromise or disruption. An attacker capable of sending malicious 6LoWPAN packets could cause device crashes or potentially execute arbitrary code, leading to denial of service or unauthorized control of IoT endpoints. This could disrupt operational technology environments, degrade service availability, and compromise data integrity. Given the increasing adoption of IoT in European smart cities and industrial sectors, exploitation could have cascading effects on network reliability and safety systems. The impact is heightened in environments where devices are deployed in unattended or remote locations, making physical remediation difficult. However, the attack surface is limited to networks where 6LoWPAN is used and where attackers have direct or indirect access to the wireless network segment. Since no public exploits are known, the immediate risk is moderate but could increase if exploit code becomes available.

European organizations should prioritize updating Contiki-NG deployments to version 4.8 or later, where this vulnerability is addressed. For devices that cannot be immediately updated, network-level mitigations should be implemented, such as segmenting 6LoWPAN networks from untrusted sources and employing strict access controls on wireless interfaces to restrict packet injection. Monitoring network traffic for anomalous or oversized 6LoWPAN packets can help detect exploitation attempts. Additionally, organizations should conduct an inventory of IoT devices running Contiki-NG and assess their exposure to external or semi-trusted networks. Employing intrusion detection systems tailored for IoT protocols and regularly auditing firmware versions will further reduce risk. Where feasible, deploying network-level encryption and authentication mechanisms for 6LoWPAN communications can limit unauthorized packet injection. Finally, organizations should engage with device vendors to obtain patches and security updates and consider compensating controls such as device isolation or fail-safe modes to mitigate potential impacts.