Description
Improper Input Validation in the NAT64 translator in The OpenThread Authors OpenThread before commit 26a882d on all platforms allows an attacker on the adjacent IPv4 network to inject corrupted IPv6 packets into the Thread mesh or bypass security checks via crafted IPv4 packets with options.
Published: 2026-05-13
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper input validation flaw in the NAT64 translator component of OpenThread. It allows an attacker on an adjacent IPv4 network to send specially crafted packets that cause the translator to generate corrupted IPv6 frames or to skip built‑in security checks. As a result, an attacker could introduce malformed traffic into the Thread mesh or potentially gain unauthorized influence over mesh communications.

Affected Systems

Affected product is OpenThread by The OpenThread Authors, on all platforms, for any release prior to commit 26a882d. This includes both Windows and Linux builds that bundle the NAT64 translator component. No specific vendor version strings are listed; the issue exists in all pre‑commit 26a882d releases.

Risk and Exploitability

The CVSS score of 6.0 indicates moderate severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. The attack vector is likely local, requiring an attacker to have connectivity to the same IPv4 subnet as the NAT64 translator. Exploitation therefore requires either privilege within that local network or the ability to inject arbitrary IPv4 packets with options. No public exploits are currently reported, but the flaw could facilitate denial‑of‑service or serve as a stepping stone for further compromise within the Thread mesh.

Generated by OpenCVE AI on May 13, 2026 at 15:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to OpenThread commit 26a882d or later to apply the bug fix.
  • Restrict or block inbound IPv4 traffic with options to the NAT64 translator, or segment the network so only trusted devices can reach it.
  • Monitor incoming IPv6 traffic for anomalies and look for signs of corrupted packets or abnormal behaviour within the Thread network.
  • If the NAT64 functionality is not required, disable or remove it from the OpenThread installation.

Generated by OpenCVE AI on May 13, 2026 at 15:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared The Openthread Authors
The Openthread Authors openthread
Vendors & Products The Openthread Authors
The Openthread Authors openthread

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description Improper Input Validation in the NAT64 translator in The OpenThread Authors OpenThread before commit 26a882d on all platforms allows an attacker on the adjacent IPv4 network to inject corrupted IPv6 packets into the Thread mesh or bypass security checks via crafted IPv4 packets with options.
Title Improper Input Validation in OpenThread NAT64 Translator
Weaknesses CWE-20
References
Metrics cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

The Openthread Authors Openthread
cve-icon MITRE

Status: PUBLISHED

Assigner: Google

Published:

Updated: 2026-05-13T14:46:46.709Z

Reserved: 2026-05-11T21:44:33.335Z

Link: CVE-2026-8369

cve-icon Vulnrichment

Updated: 2026-05-13T14:46:38.216Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-13T14:18:16.953

Modified: 2026-05-13T15:54:22.820

Link: CVE-2026-8369

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:34:31Z

Weaknesses