CVE-2021-3128

Vulnerability

CVE-2021-3128 affects ASUS routers including RT-AX3000, ZenWiFi AX (XT8), RT-AX88U, and others running firmware versions prior to 3.0.0.4.386.42095 or 9.0.0.4.386.41994. When IPv6 is enabled, a routing loop occurs if a link prefix route points to a point-to-point link, a destination IPv6 address belongs to that prefix but is not a local address, and a router advertisement is received with at least one global unique IPv6 prefix for which the on-link flag is set [1][2][3][4].

Exploitation

An attacker on the same network segment or upstream can send a crafted router advertisement containing a global unique IPv6 prefix with the on-link flag set. The affected router, upon receiving such an advertisement, may create a routing loop that generates excessive traffic between the router and the upstream ISP router. No authentication is required to send the malicious advertisement, but the attacker must be able to inject IPv6 router advertisements into the network.

Impact

Successful exploitation results in a denial-of-service condition due to excessive network traffic, potentially saturating the link and causing resource exhaustion on the router. The vulnerability does not lead to information disclosure, privilege escalation, or remote code execution.

Mitigation

ASUS has addressed this vulnerability in firmware versions 3.0.0.4.386.42095 and 9.0.0.4.386.41994 (or later). Users should update their routers to the latest firmware available from the ASUS support pages [1][2][3][4]. If upgrading is not immediately possible, disabling IPv6 on the router can serve as a temporary workaround. This CVE is not listed in CISA's Known Exploited Vulnerabilities catalog.