Multiple critical vulnerabilities in lwIP allow remote attackers to execute arbitrary code or cause denial of service via buffer overflows in EAP authentication handling (CVE-2020-8597, CVSS 9.8), ICMPv6/6LoWPAN packet processing (CVE-2020-22283/22284, CVSS 7.5), and improper SNMPv3 authentication validation (CVE-2026-8836). The EAP vulnerability specifically affects point-to-point_protocol versions 2.4.2 through 2.4.8, among other listed products. The article advises upgrading to patched versions, such as version 03.04.10(16) for WAGO PFC firmware to address CVE-2020-8597.
It was discovered that lwIP contained a buffer overflow in the EAP authentication handling code. An attacker could possibly use this issue to trigger a buffer overflow, resulting in arbitrary code execution or a denial of service. This issue only affected Ubuntu 20.04 LTS. (CVE-2020-8597) It was discovered that lwIP incorrectly handled certain ICMPv6 or 6LoWPAN packets. An attacker could possibly use this issue to trigger a buffer overflow, resulting in information disclosure. This issue only affected Ubuntu 20.04 LTS. (CVE-2020-22283, CVE-2020-22284) It was discovered that lwIP did not properly validate certain SNMPv3 authentication parameters. An attacker could possibly use this issue to trigger a stack-based buffer overflow, resulting in arbitrary code execution or a denial of service. (CVE-2026-8836)