Description
RIOT OS versions up to and including 2026.01-devel-317 contain a stack-based buffer overflow vulnerability in the ethos utility due to missing bounds checking when processing incoming serial frame data. The vulnerability occurs in the _handle_char() function, where incoming frame bytes are appended to a fixed-size stack buffer without verifying that the current write index remains within bounds. An attacker capable of sending crafted serial or TCP-framed input can cause the current write index to exceed the buffer size, resulting in a write past the end of the stack buffer. This condition leads to memory corruption and application crash.
Published: 2026-01-12
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

A missing bounds check in the ethos utility's _handle_char() function allows an attacker to send crafted serial or TCP‑framed input that overflows a fixed‑size stack buffer, corrupting memory and crashing the application. The available information confirms only memory corruption and program termination.

Affected Systems

RIOT:RIOT OS, versions up to and including 2026.01-devel-317, specifically the ethos utility responsible for parsing incoming serial frame data.

Risk and Exploitability

The CVSS score of 6.8 indicates moderate severity, while the EPSS score of <1% suggests a low probability of exploitation at present. The vulnerability is not listed in CISA’s KEV catalog. A likely attack requires an attacker to be able to transmit crafted frames over the device’s serial or TCP interface, which could involve remote or local access depending on deployment. If successfully exploited, the result is memory corruption and a crash, potentially leading to denial of service.

Generated by OpenCVE AI on April 18, 2026 at 19:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade RIOT OS to a release newer than 2026.01-devel-317 where the bounds check in _handle_char() has been added.
  • If upgrading immediately is not feasible, restrict access to the ethos serial/TCP interface so that only trusted hosts can send frames.
  • Apply any vendor‑supplied patch or, if unavailable, review and modify the source code to implement proper bounds checking for the frame buffer before appending bytes.

Generated by OpenCVE AI on April 18, 2026 at 19:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 21 Jan 2026 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:riot-os:riot:*:*:*:*:*:*:*:*
cpe:2.3:o:riot-os:riot:2026.01:devel:*:*:*:*:*:*
cpe:2.3:o:riot-os:riot:2026.01:rc1:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 13 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 13 Jan 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Riot-os
Riot-os riot
Vendors & Products Riot-os
Riot-os riot

Mon, 12 Jan 2026 23:15:00 +0000

Type Values Removed Values Added
Description RIOT OS versions up to and including 2026.01-devel-317 contain a stack-based buffer overflow vulnerability in the ethos utility due to missing bounds checking when processing incoming serial frame data. The vulnerability occurs in the _handle_char() function, where incoming frame bytes are appended to a fixed-size stack buffer without verifying that the current write index remains within bounds. An attacker capable of sending crafted serial or TCP-framed input can cause the current write index to exceed the buffer size, resulting in a write past the end of the stack buffer. This condition leads to memory corruption and application crash.
Title RIOT OS <= 2026.01-devel-317 Stack-Based Buffer Overflow in ethos Serial Frame Parser
Weaknesses CWE-121
References
Metrics cvssV4_0

{'score': 6.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Riot-os Riot
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-01-13T18:50:40.171Z

Reserved: 2026-01-06T16:47:17.187Z

Link: CVE-2026-22214

cve-icon Vulnrichment

Updated: 2026-01-13T18:50:37.755Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-12T23:15:52.453

Modified: 2026-01-21T17:43:51.967

Link: CVE-2026-22214

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T20:00:09Z

Weaknesses