Description
TinyOS versions up to and including 2.1.2 contain a global buffer overflow vulnerability in the printfUART formatted output implementation used within the ZigBee / IEEE 802.15.4 networking stack. The implementation formats output into a fixed-size global buffer and concatenates strings for %s format specifiers using strcat() without verifying remaining buffer capacity. When printfUART is invoked with a caller-controlled string longer than the available space, the unbounded sprintf/strcat sequence writes past the end of debugbuf, resulting in global memory corruption. This can cause denial of service, unintended behavior, or information disclosure via corrupted adjacent global state or UART output.
Published: 2026-01-14
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

TinyOS versions up to 2.1.2 contain a global buffer overflow in the printfUART implementation used by the ZigBee / IEEE 802.15.4 stack. The function writes formatted output into a fixed‑size global buffer and concatenates %s strings with strcat() without checking remaining capacity. When called with a longer user‑controlled string, the unbounded write corrupts global memory, which can lead to denial of service, unintended behavior, or information disclosure through corrupted adjacent state or UART output.

Affected Systems

All installations of TinyOS 2.1.2 and earlier are vulnerable. No newer versions are affected.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity. The EPSS score is below 1 %, suggesting a low probability of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker would need to control the string passed to printfUART, and the likely attack vector is via the UART debugging interface where the vulnerable function is invoked. If successfully triggered, the attacker can cause the device to crash or leak sensitive data.

Generated by OpenCVE AI on April 18, 2026 at 16:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a TinyOS release newer than 2.1.2 or apply the vendor’s security patch for printfUART overflow if available
  • Modify the printfUART source to enforce bounds checking on the global buffer before concatenating strings
  • If upgrading is not immediately possible, disable or restrict use of the printfUART routine in production deployments

Generated by OpenCVE AI on April 18, 2026 at 16:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 15 Jan 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Tinyos
Tinyos tinyos
Vendors & Products Tinyos
Tinyos tinyos

Wed, 14 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 14 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
Description TinyOS versions up to and including 2.1.2 contain a global buffer overflow vulnerability in the printfUART formatted output implementation used within the ZigBee / IEEE 802.15.4 networking stack. The implementation formats output into a fixed-size global buffer and concatenates strings for %s format specifiers using strcat() without verifying remaining buffer capacity. When printfUART is invoked with a caller-controlled string longer than the available space, the unbounded sprintf/strcat sequence writes past the end of debugbuf, resulting in global memory corruption. This can cause denial of service, unintended behavior, or information disclosure via corrupted adjacent global state or UART output.
Title TinyOS <= 2.1.2 Global Buffer Overflow in printfUART
Weaknesses CWE-787
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Tinyos Tinyos
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-01-14T15:35:01.567Z

Reserved: 2026-01-06T16:47:17.187Z

Link: CVE-2026-22211

cve-icon Vulnrichment

Updated: 2026-01-14T15:34:54.514Z

cve-icon NVD

Status : Deferred

Published: 2026-01-14T16:15:56.950

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-22211

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:30:05Z

Weaknesses