A remotely exploitable stack-based buffer overflow in the lwIP TCP/IP stack's SNMPv3 USM handler (versions up to 2.2.1) allows unauthenticated attackers to corrupt memory by manipulating the msgAuthenticationParameters field, earning a CVSS 9.8 critical rating.
What Is It
The flaw lives in snmp_parse_inbound_frame in src/apps/snmp/snmp_msg.c, part of lwIP's SNMPv3 User-based Security Model (USM) handler. Crafted input to the msgAuthenticationParameters argument triggers a stack-based buffer overflow (CWE-119 / CWE-121). The bug is reachable over the network with no authentication and no user interaction, per the CVSS:3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. CVSS v2 scores it a maximum 10.0 and CVSS v4 rates it 9.3 critical.
Why It Matters
lwIP is a lightweight TCP/IP stack widely embedded in IoT devices, industrial controllers, network equipment, and other resource-constrained firmware. A pre-authentication stack overflow reachable via SNMPv3 packets gives an attacker a direct path to memory corruption; and, depending on platform mitigations (or the lack of them on embedded targets), potential remote code execution or denial of service. The impact triad is full High/High/High on confidentiality, integrity, and availability. There is no CISA KEV listing at this time, so active in-the-wild exploitation is not confirmed.
What's Vulnerable
- Product: lwIP (lightweight IP) TCP/IP stack
- Affected versions: all releases up to and including 2.2.1
- Component: SNMPv3 USM Handler
- File / function:
src/apps/snmp/snmp_msg.c→snmp_parse_inbound_frame - Trigger: manipulation of the
msgAuthenticationParametersargument in an inbound SNMPv3 message - Attack vector: network, no privileges, no user interaction
Downstream exposure depends on embedded vendors who ship lwIP with SNMPv3 enabled; operators of IoT and ICS fleets should assume potential exposure pending vendor advisories.
Patch Status
A fix has been committed upstream as 0c957ec03054eb6c8205e9c9d1d05d90ada3898c. The recommended action is to apply this patch (or upgrade to a post-2.2.1 build containing it) in any firmware that integrates lwIP's SNMP application. Where patching is not immediately feasible, disable SNMPv3 or block inbound SNMP traffic (UDP/161) at the network perimeter until the fix can be deployed.