CVE-2026-8369 Overview
CVE-2026-8369 is an improper input validation vulnerability [CWE-20] in the NAT64 translator component of OpenThread, the open-source implementation of the Thread networking protocol maintained by The OpenThread Authors. The flaw affects all OpenThread platforms prior to commit 26a882d. An attacker on the adjacent IPv4 network can send crafted IPv4 packets with options to inject corrupted IPv6 packets into the Thread mesh or bypass security checks during protocol translation. The vulnerability requires adjacent network access and no authentication or user interaction.
Critical Impact
Adjacent attackers can inject corrupted IPv6 traffic into Thread mesh networks or bypass NAT64 security checks, compromising the integrity of Thread-connected IoT deployments.
Affected Products
- OpenThread (all platforms) before commit 26a882d
- Thread Border Routers and gateways using OpenThread NAT64 translation
- IoT devices and smart home hubs built on OpenThread (Matter ecosystem components)
Discovery Timeline
- 2026-05-13 - CVE-2026-8369 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-8369
Vulnerability Analysis
OpenThread provides NAT64 translation so Thread mesh devices using IPv6 can communicate with IPv4 endpoints on the adjacent network. The NAT64 translator parses inbound IPv4 packets and synthesizes equivalent IPv6 packets that are forwarded into the mesh. The vulnerability stems from incomplete validation of optional IPv4 header fields during this translation step.
When the translator encounters IPv4 packets containing options, it fails to properly validate option length, type, and structural integrity before constructing the corresponding IPv6 datagram. Attackers can exploit this to either malform the resulting IPv6 packet or skip security checks that would otherwise drop the traffic. The result is unauthorized packet injection into the Thread mesh from the IPv4 side of the border router.
Root Cause
The root cause is improper input validation [CWE-20] in the NAT64 packet-translation logic. The code path that handles IPv4 packets containing options does not enforce strict bounds and semantic checks before mapping IPv4 fields to IPv6. The integrity-focused CVSS v4.0 vector reflects high integrity impact with limited availability impact and no confidentiality impact.
Attack Vector
Exploitation requires the attacker to be on the IPv4 network adjacent to a Thread border router running vulnerable OpenThread code. The attacker crafts IPv4 packets containing malformed or unexpected options and transmits them toward the NAT64 interface. Because the translator processes options without sufficient validation, the resulting IPv6 packets either carry attacker-controlled content into the Thread mesh or evade filtering rules at the translation boundary. No authentication is required and no user interaction is needed.
Technical details and the upstream fix are available in the OpenThread GitHub Pull Request #12818.
Detection Methods for CVE-2026-8369
Indicators of Compromise
- Inbound IPv4 packets to NAT64 interfaces containing unusual or malformed IP options such as record route, loose source route, or strict source route.
- IPv6 packets emerging from a Thread border router with header fields inconsistent with the originating IPv4 traffic.
- Unexpected traffic patterns or unknown source addresses reaching internal Thread mesh devices from the IPv4 side.
Detection Strategies
- Inspect border router logs for NAT64 translation errors, dropped packets, or parser warnings related to IPv4 option handling.
- Deploy network-layer monitoring on segments adjacent to Thread border routers and alert on IPv4 packets carrying non-trivial options.
- Correlate IPv4 ingress traffic with IPv6 egress on the border router to identify translation anomalies.
Monitoring Recommendations
- Capture and review packet metadata on the IPv4 interfaces of Thread border routers, focusing on the IHL field and option bytes.
- Track firmware versions and OpenThread commit hashes across deployed border routers to identify devices running code prior to 26a882d.
- Establish baselines for normal NAT64 translation rates and alert on deviations that may signal probing or injection attempts.
How to Mitigate CVE-2026-8369
Immediate Actions Required
- Update OpenThread to a build that includes commit 26a882d or later on all border routers and Thread devices that perform NAT64 translation.
- Inventory deployed Thread border routers and gateways to identify firmware versions and prioritize patching of internet-exposed units first.
- Restrict which hosts on the adjacent IPv4 network can reach the NAT64 interface using upstream firewall rules.
Patch Information
The upstream fix is included in OpenThread commit 26a882d and documented in OpenThread Pull Request #12818. Device vendors integrating OpenThread must rebuild and redistribute firmware containing this commit. Operators should consult their border router vendor for firmware updates that incorporate the fix.
Workarounds
- Disable NAT64 translation on Thread border routers if IPv4 interoperability is not required for the deployment.
- Enforce upstream filtering that drops IPv4 packets containing IP options before they reach the NAT64 interface.
- Segment Thread border routers onto isolated VLANs to limit which adjacent hosts can deliver crafted IPv4 traffic.
# Example upstream filter to drop IPv4 packets with options before NAT64
# iptables rule on the gateway in front of the Thread border router
iptables -A FORWARD -p ipv4 -m ipv4options --any-opt -j DROP
# Verify deployed OpenThread version includes the fix
git -C openthread log --oneline | grep 26a882d
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
