CVE-2020-22284
published 2021-07-22CVE-2020-22284: A buffer overflow vulnerability in the zepif_linkoutput() function of Free Software Foundation lwIP git head version and version 2.1.2 allows attackers to…
PriorityP338high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
1.17%
63.6th percentile
A buffer overflow vulnerability in the zepif_linkoutput() function of Free Software Foundation lwIP git head version and version 2.1.2 allows attackers to access sensitive information via a crafted 6LoWPAN packet.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | lwip | < lwip 2.1.3+dfsg1-1 (bookworm) | lwip 2.1.3+dfsg1-1 (bookworm) |
| lwip_project | lwip | — | — |
| lwip_project | lwip | >= 0 < 2.1.2+dfsg1-8+deb11u1 | 2.1.2+dfsg1-8+deb11u1 |
| lwip_project | lwip | >= 0 < 2.1.3+dfsg1-1 | 2.1.3+dfsg1-1 |
| lwip_project | lwip | >= 0 < 2.1.3+dfsg1-1 | 2.1.3+dfsg1-1 |
| lwip_project | lwip | >= 0 < 2.1.3+dfsg1-1 | 2.1.3+dfsg1-1 |
| ubuntu | lwip | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv7.5HIGH
vendor_debian7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
FSF IwIP 2.1.2 6LoWPAN Packet zepif_linkoutput buffer overflow (Nessus ID 320846)
vuldb·2026-06-12·CVSS 7.5
CVE-2020-22284 [HIGH] FSF IwIP 2.1.2 6LoWPAN Packet zepif_linkoutput buffer overflow (Nessus ID 320846)
A vulnerability marked as critical has been reported in FSF IwIP 2.1.2. This impacts the function zepif_linkoutput of the component 6LoWPAN Packet Handler. Performing a manipulation results in buffer overflow.
This vulnerability was named CVE-2020-22284. The attack needs to be approached within the local network. There is no available exploit.
GHSA
GHSA-4f64-6qh9-pmfj: A buffer overflow vulnerability in the zepif_linkoutput() function of Free Software Foundation lwIP git head version and version 2
ghsa_unreviewed·2022-05-24
CVE-2020-22284 [HIGH] CWE-120 GHSA-4f64-6qh9-pmfj: A buffer overflow vulnerability in the zepif_linkoutput() function of Free Software Foundation lwIP git head version and version 2
A buffer overflow vulnerability in the zepif_linkoutput() function of Free Software Foundation lwIP git head version and version 2.1.2 allows attackers to access sensitive information via a crafted 6LoWPAN packet.
OSV
CVE-2020-22284: A buffer overflow vulnerability in the zepif_linkoutput() function of Free Software Foundation lwIP git head version and version 2
osv·2021-07-22·CVSS 7.5
CVE-2020-22284 [HIGH] CVE-2020-22284: A buffer overflow vulnerability in the zepif_linkoutput() function of Free Software Foundation lwIP git head version and version 2
A buffer overflow vulnerability in the zepif_linkoutput() function of Free Software Foundation lwIP git head version and version 2.1.2 allows attackers to access sensitive information via a crafted 6LoWPAN packet.
Ubuntu
lwIP vulnerabilities
vendor_ubuntu·2026-06-11·CVSS 7.5
CVE-2026-8836 [HIGH] lwIP vulnerabilities
Title: lwIP vulnerabilities
Summary: Several security issues were fixed in lwIP.
It was discovered that lwIP contained a buffer overflow in the EAP
authentication handling code. An attacker could possibly use this issue
to trigger a buffer overflow, resulting in arbitrary code execution or a
denial of service. This issue only affected Ubuntu 20.04 LTS.
(CVE-2020-8597)
It was discovered that lwIP incorrectly handled certain ICMPv6 or
6LoWPAN packets. An attacker could possibly use this issue to trigger a
buffer overflow, resulting in information disclosure. This issue only
affected Ubuntu 20.04 LTS. (CVE-2020-22283, CVE-2020-22284)
It was discovered that lwIP did not properly validate certain SNMPv3
authentication parameters. An attacker could possibly use this issue to
trigger a stack-
Debian
CVE-2020-22284: lwip - A buffer overflow vulnerability in the zepif_linkoutput() function of Free Softw...
vendor_debian·2020·CVSS 7.5
CVE-2020-22284 [HIGH] CVE-2020-22284: lwip - A buffer overflow vulnerability in the zepif_linkoutput() function of Free Softw...
A buffer overflow vulnerability in the zepif_linkoutput() function of Free Software Foundation lwIP git head version and version 2.1.2 allows attackers to access sensitive information via a crafted 6LoWPAN packet.
Scope: local
bookworm: resolved (fixed in 2.1.3+dfsg1-1)
bullseye: resolved (fixed in 2.1.2+dfsg1-8+deb11u1)
forky: resolved (fixed in 2.1.3+dfsg1-1)
sid: resolved (fixed in 2.1.3+dfsg1-1)
trixie: resolved (fixed in 2.1.3+dfsg1-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-07-22
Published