VYPR
← All advisories
Unrated severityNVD Advisory· Published Apr 22, 2021· Updated Mar 11, 2025

CVE-2021-25664

CVE-2021-25664

Description

A vulnerability has been identified in Capital Embedded AR Classic 431-422 (All versions), Capital Embedded AR Classic R20-11 (All versions < V2303), Nucleus NET (All versions), Nucleus ReadyStart V3 (All versions < V2017.02.4), Nucleus ReadyStart V4 (All versions < V4.1.0), Nucleus Source Code (All versions including affected IPv6 stack). The function that processes the Hop-by-Hop extension header in IPv6 packets and its options lacks any checks against the length field of the header, allowing attackers to put the function into an infinite loop by supplying arbitrary length values.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An unvalidated length field in the IPv6 Hop-by-Hop extension header parser of Nucleus NET and derivatives enables a remote, unauthenticated denial-of-service via infinite loop.

Vulnerability

CVE-2021-25664 is an infinite loop vulnerability (CWE-835) in the IPv6 Hop-by-Hop extension header processing function of the Siemens Nucleus NET stack. The function iterates over options within the header without verifying that the Length field value is consistent with the actual remaining packet data. By crafting an IPv6 packet with a Hop-by-Hop extension header whose option length field contains an arbitrary (largely over-sized) value, an attacker can cause the loop to never terminate. Affected products include Nucleus NET (all versions), Nucleus ReadyStart V3 prior to V2017.02.4, Nucleus ReadyStart V4 prior to V4.1.0, Nucleus Source Code (versions that bundle the vulnerable IPv6 stack), Capital Embedded AR Classic 431-422 (all versions), and Capital Embedded AR Classic R20-11 prior to V2303 [1][2].

Exploitation

The vulnerability is remotely exploitable without authentication and does not require any user interaction or special network access. An attacker sends a single specially crafted IPv6 packet containing a Hop-by-Hop extension header with an oversized option length field to any device running the affected stack. The receiving device’s kernel starts processing the header options, but because the length value is unchecked, the parsing loop enters an infinite iteration, consuming CPU cycles and preventing legitimate packet processing [1].

Impact

Successful exploitation results in a denial-of-service (DoS) condition. The affected device becomes unresponsive to network traffic, and services relying on network communication are disrupted. The CVSS v3.1 base score is 7.5 (High) with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating no confidentiality or integrity impact but high availability impact [1].

Mitigation

Siemens has released fixed versions for several product lines: Nucleus ReadyStart V3 users should upgrade to V2017.02.4 or later, Nucleus ReadyStart V4 users to V4.1.0 or later, and Capital Embedded AR Classic R20-11 to V2303 or later [2]. For Nucleus NET (all versions) and Nucleus Source Code (all versions including the affected IPv6 stack), contact Siemens support for custom fixes. Capital Embedded AR Classic 431-422 is end-of-life and will not receive a fix [2]. There is no known workaround that completely mitigates the vulnerability. CISA has not listed this CVE in its Known Exploited Vulnerabilities Catalog as of the publication date.

References
  1. Siemens Nucleus Products IPv6 Stack (Update A) | CISA
  2. SSA-248289

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

12

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.