CVE-2024-47181 Overview
CVE-2024-47181 is a vulnerability in Contiki-NG, an open-source operating system for resource-constrained Internet of Things (IoT) devices. The flaw exists in both Routing Protocol for Low-Power and Lossy Networks (RPL) implementations shipped with the operating system. An attacker can trigger an unaligned memory access by sending a crafted IPv6 packet containing an odd number of padded bytes before the RPL option. The rpl_ext_header_hbh_update function then reads a 16-bit integer from an odd address, which can crash the device on architectures that require aligned access.
Critical Impact
Remote attackers can cause a denial-of-service condition on RPL-enabled Contiki-NG nodes without authentication or user interaction, disrupting IoT mesh networks.
Affected Products
- Contiki-NG operating system release 4.9 and earlier
- Both RPL implementations bundled with Contiki-NG (RPL Classic and RPL Lite)
- IoT devices running Contiki-NG connected to an RPL instance
Discovery Timeline
- 2024-11-27 - CVE-2024-47181 published to the National Vulnerability Database (NVD)
- 2025-04-10 - Last updated in NVD database
Technical Details for CVE-2024-47181
Vulnerability Analysis
The vulnerability is classified under [CWE-704] (Incorrect Type Conversion or Cast) and affects how Contiki-NG processes IPv6 Hop-by-Hop (HBH) extension headers carrying RPL options. When an incoming IPv6 packet places an odd number of padding bytes before the RPL option, the offset of the option payload becomes misaligned relative to a 16-bit word boundary.
The rpl_ext_header_hbh_update function attempts to read a 16-bit integer directly from this misaligned address. On architectures that require strict alignment for multi-byte access, such as several ARM Cortex-M variants commonly deployed in IoT devices, this read raises a bus fault. The fault terminates the firmware execution and reboots or halts the device.
Because RPL is the default routing protocol for Contiki-NG mesh deployments, any node participating in an RPL instance is exposed to traffic that can trigger the unaligned access.
Root Cause
The root cause is the absence of byte-by-byte access or alignment-safe accessors when parsing RPL option fields inside the Hop-by-Hop extension header. The parser assumes the option payload is naturally aligned, but RFC 6553 permits arbitrary padding before the option, which breaks this assumption.
Attack Vector
The attack vector is network-based and requires no privileges or user interaction. An attacker on the same RPL network, or any upstream node capable of injecting IPv6 packets toward a Contiki-NG device, can craft a packet containing odd padding before the RPL option. The malformed packet propagates through the routing fabric and crashes vulnerable nodes that attempt to process it.
The vulnerability is described in prose because no public proof-of-concept exploit has been verified. Technical details are available in the Contiki-NG GitHub Security Advisory.
Detection Methods for CVE-2024-47181
Indicators of Compromise
- Unexpected reboots or hard faults on Contiki-NG nodes coinciding with inbound IPv6 traffic carrying Hop-by-Hop extension headers
- IPv6 packets containing an odd number of padding bytes preceding an RPL option in the HBH header
- Loss of routing connectivity for nodes downstream of a crashed RPL parent
Detection Strategies
- Inspect IPv6 traffic at network borders for malformed HBH extension headers and unusual padding patterns before the RPL option
- Monitor Contiki-NG device logs and serial output for bus fault or unaligned-access exceptions
- Correlate device uptime resets across RPL mesh nodes to identify coordinated crash events
Monitoring Recommendations
- Enable IPv6 packet capture on RPL border routers and alert on non-standard HBH option padding
- Track per-node availability metrics in IoT management platforms to surface anomalous reboot clusters
- Forward device telemetry into a centralized data lake for retention and historical correlation of crash events
How to Mitigate CVE-2024-47181
Immediate Actions Required
- Apply the changes from Contiki-NG pull request #2962 to vulnerable firmware builds and reflash affected devices
- Restrict which nodes can inject IPv6 traffic into the RPL instance by enforcing link-layer authentication and access control
- Audit deployed firmware versions across the IoT fleet to identify nodes still running Contiki-NG 4.9 or earlier
Patch Information
As documented in the vendor advisory, the issue was not patched in release 4.9 and is scheduled for inclusion in the next Contiki-NG release. Operators can apply the fix immediately by merging pull request #2962, which introduces alignment-safe handling of the RPL option inside rpl_ext_header_hbh_update. Full details are published in the GitHub Security Advisory GHSA-crjw-x84h-h6x3.
Workarounds
- Disable the RPL implementations on nodes where routing is not required, removing the vulnerable code path from execution
- Filter inbound IPv6 packets that contain Hop-by-Hop extension headers with non-standard padding at the network edge
- Segment RPL instances so that untrusted devices cannot reach production IoT nodes until firmware is rebuilt with the patch
# Build Contiki-NG from source with the patch applied
git clone https://github.com/contiki-ng/contiki-ng.git
cd contiki-ng
git fetch origin pull/2962/head:fix-rpl-unaligned
git checkout fix-rpl-unaligned
make TARGET=<your-target> distclean
make TARGET=<your-target>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
