CVE-2026-8369: IPv4 Packet Injection in OpenThread
Plattform
linux
Komponente
openthread
Behoben in
0.17.0
CVE-2026-8369 describes an improper input validation vulnerability in the NAT64 translator within OpenThread, affecting versions up to commit 26a882d. This flaw allows an attacker on the adjacent IPv4 network to inject corrupted IPv6 packets into the Thread mesh. The vulnerability is mitigated by upgrading to version 0.17.0.
Auswirkungen und Angriffsszenarien
The impact of CVE-2026-8369 is the potential for an attacker to inject malicious IPv6 packets into a Thread mesh network. This could lead to various security compromises, including denial of service, man-in-the-middle attacks, and potentially even the execution of arbitrary code depending on the specific payload injected. The attacker needs to be on the same IPv4 network as the OpenThread device. This vulnerability bypasses security checks intended to protect the Thread mesh, making it a significant concern for devices relying on Thread for secure communication. The blast radius extends to all devices within the affected Thread mesh.
Ausnutzungskontext
CVE-2026-8369 was published on 2026-05-13. The vulnerability's severity is pending evaluation. There is no current indication of active exploitation. Public proof-of-concept (POC) code is not yet available. The vulnerability is related to the NAT64 translation process, a common component in Thread networks.
Bedrohungsanalyse
Exploit-Status
CISA SSVC
Betroffene Software
Schwachstellen-Klassifikation (CWE)
Zeitleiste
- Reserviert
- Veröffentlicht
Mitigation und Workarounds
The primary mitigation for CVE-2026-8369 is to upgrade OpenThread to version 0.17.0 or later. If upgrading is not immediately possible, consider segmenting the IPv4 network to restrict access to the OpenThread devices. Monitor network traffic for unusual IPv6 packets originating from the IPv4 network. Review and harden the configuration of the NAT64 translator to limit the types of IPv4 packets it processes. After upgrade, verify the integrity of the OpenThread installation and confirm that the NAT64 translator is functioning as expected.
So behebenwird übersetzt…
Actualice a la versión 0.17.0 o posterior para mitigar la vulnerabilidad. Esta actualización corrige la validación de entrada incorrecta en el traductor NAT64, previniendo la inyección de paquetes corruptos y el bypass de controles de seguridad.
Häufig gestellte Fragen
What is CVE-2026-8369 — IPv4 Packet Injection in OpenThread?
CVE-2026-8369 is a vulnerability in OpenThread's NAT64 translator allowing attackers on an adjacent IPv4 network to inject corrupted IPv6 packets into the Thread mesh.
Am I affected by CVE-2026-8369 in OpenThread?
If you are using OpenThread versions before commit 26a882d, you are potentially affected. Check your version using git rev-parse HEAD.
How do I fix CVE-2026-8369 in OpenThread?
Upgrade OpenThread to version 0.17.0 or later. Consider network segmentation as a temporary mitigation.
Is CVE-2026-8369 being actively exploited?
There is currently no public information indicating that CVE-2026-8369 is being actively exploited in the wild.
Where can I find the official OpenThread advisory for CVE-2026-8369?
Refer to the official OpenThread project repository and security advisories for the latest information: [https://github.com/openthread/openthread](https://github.com/openthread/openthread)
Ist dein Projekt betroffen?
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Jetzt testen — kein Konto
Laden Sie ein Manifest hoch (composer.lock, package-lock.json, WordPress Plugin-Liste…) oder fügen Sie Ihre Komponentenliste ein. Sie erhalten sofort einen Schwachstellenbericht. Das Hochladen einer Datei ist nur der Anfang: Mit einem Konto erhalten Sie kontinuierliche Überwachung, Slack/email-Benachrichtigungen, Multi-Projekt- und White-Label-Berichte.
Abhängigkeitsdatei hier ablegen
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...