CVE-2026-8369

Vulnerability

Overview

The NAT64 translator in OpenThread before commit 26a882d contains an improper input validation vulnerability. The translator assumed a fixed IPv4 header length of 20 bytes, but IPv4 headers can be longer when options are present (IHL > 5). This caused the translator to read transport layer fields from a wrong offset, corrupting them, and to only remove 20 bytes from the message, leaving IPv4 options at the start of the translated IPv6 payload [1].

Exploitation

An attacker on the adjacent IPv4 network can exploit this by sending crafted IPv4 packets with options. The flawed parsing leads to incorrect translation, potentially allowing the attacker to inject corrupted IPv6 packets into the Thread mesh. Additionally, mandatory security checks for source route options (LSRR/SSRR) were bypassed because the translator did not properly inspect the header for these options [1].

Impact

Successful exploitation could allow an attacker to inject malformed or malicious IPv6 packets into the Thread network, potentially disrupting communication or bypassing security controls. The vulnerability is rated Medium severity and affects all platforms running the vulnerable version of OpenThread.

Mitigation

The fix, implemented in pull request #12818, updates the Ip4::Header to validate IHL and provide the actual header length. The NAT64 translator now uses the correct header length for parsing and removal, and packets with LSRR or SSRR options are discarded as required by RFC 7915 [1]. Users should update to a version containing commit 26a882d or later.