Description
RIOT OS versions up to and including 2026.01-devel-317 contain a stack-based buffer overflow vulnerability in the tapslip6 utility. The vulnerability is caused by unsafe string concatenation in the devopen() function, which constructs a device path using unbounded user-controlled input. The utility uses strcpy() and strcat() to concatenate the fixed prefix '/dev/' with a user-supplied device name provided via the -s command-line option without bounds checking. This allows an attacker to supply an excessively long device name and overflow a fixed-size stack buffer, leading to process crashes and memory corruption.
Published: 2026-01-12
Score: 2.4 Low
EPSS: < 1% Very Low
KEV: No
Impact: Local memory corruption that could lead to crash or code execution
Action: Assess Impact
AI Analysis

Impact

A stack-based buffer overflow in the RIOT OS tapslip6 utility arises from unsafe string concatenation in the devopen function. The function builds a device path by concatenating the constant prefix "/dev/" with a user-supplied device name passed via the –s command‑line option using strcpy() and strcat() without bounds checking. This flaw allows an attacker to supply a device name that exceeds the fixed‑size stack buffer, corrupting memory and causing the utility to crash. In the worst case, the memory corruption could be leveraged to execute arbitrary code with the privileges of the user running tapslip6.

Affected Systems

The vulnerability affects RIOT OS versions up through and including 2026.01‑devel‑317. All builds that contain the tapslip6 utility in those releases are susceptible, because the unsafe construction of the device path is present in the source code for that utility. Only the devopen implementation in those versions is impacted; newer releases released after this date have the fix applied.

Risk and Exploitability

The CVSS score is 2.4, indicating low severity, and the EPSS score is below 1 %, suggesting a very low probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Attackers would need local access to run the tapslip6 binary and the ability to provide a long –s argument, so the risk is limited to systems where the utility is installed and usable. Because the flaw can lead to memory corruption, trusting only authorized users and applying safer string handling could contain the damage.

Generated by OpenCVE AI on April 18, 2026 at 06:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade RIOT OS to a version released after 2026.01‑devel‑317 that contains the fix for tapslip6
  • If upgrading is not immediately possible, restrict the tapslip6 executable to trusted users only and run it under the least privileges required
  • As a temporary workaround, modify the devopen function to use bounded string operations, such as strncpy or strncat, or validate the device name length before copying

Generated by OpenCVE AI on April 18, 2026 at 06:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 21 Jan 2026 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:riot-os:riot:*:*:*:*:*:*:*:*
cpe:2.3:o:riot-os:riot:2026.01:devel:*:*:*:*:*:*
cpe:2.3:o:riot-os:riot:2026.01:rc1:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 13 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 13 Jan 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Riot-os
Riot-os riot
Vendors & Products Riot-os
Riot-os riot

Mon, 12 Jan 2026 23:15:00 +0000

Type Values Removed Values Added
Description RIOT OS versions up to and including 2026.01-devel-317 contain a stack-based buffer overflow vulnerability in the tapslip6 utility. The vulnerability is caused by unsafe string concatenation in the devopen() function, which constructs a device path using unbounded user-controlled input. The utility uses strcpy() and strcat() to concatenate the fixed prefix '/dev/' with a user-supplied device name provided via the -s command-line option without bounds checking. This allows an attacker to supply an excessively long device name and overflow a fixed-size stack buffer, leading to process crashes and memory corruption.
Title RIOT OS <= 2026.01-devel-317 Stack-Based Buffer Overflow in tapslip6 Utility
Weaknesses CWE-121
References
Metrics cvssV4_0

{'score': 2.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Riot-os Riot
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-01-13T18:37:41.785Z

Reserved: 2026-01-06T16:47:17.187Z

Link: CVE-2026-22213

cve-icon Vulnrichment

Updated: 2026-01-13T18:37:37.279Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-12T23:15:52.300

Modified: 2026-01-21T17:44:38.543

Link: CVE-2026-22213

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T07:00:11Z

Weaknesses