Description
RIOT is an open-source microcontroller operating system, designed to match the requirements of Internet of Things (IoT) devices and other embedded devices. In version 2025.10 and prior, multiple out-of-bounds read allow any unauthenticated user, with ability to send or manipulate input packets, to read adjacent memory locations, or crash a vulnerable device running the 6LoWPAN stack. The received packet is cast into a sixlowpan_sfr_rfrag_t struct and dereferenced without validating the packet is large enough to contain the struct object. At time of publication, no known patch exists.
Published: 2026-02-04
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Out‑of‑Bounds Read in RIOT 6LoWPAN handling
Action: Monitor
AI Analysis

Impact

The vulnerability arises when the RIOT 6LoWPAN stack processes received Frame Fragment SFR packets without size validation. Incoming data is cast directly to a sixlowpan_sfr_rfrag_t structure, creating an out‑of‑bounds read. An unauthenticated attacker can send crafted 6LoWPAN fragments to cause the operating system to read arbitrary adjacent memory or to crash the device. The read may expose sensitive information stored in nearby memory, while a crash would result in denial of service.

Affected Systems

The flaw affects the RIOT open‑source microcontroller OS, specifically versions 2025.10 and earlier. All devices running the 6LoWPAN stack in those releases are vulnerable. At release time no patch was available from RIOT‑OS; users should verify the firmware version against the advisory.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity, and the EPSS score of less than 1% suggests a low probability of exploitation observed so far. The vulnerability is not listed in CISA’s KEV catalog, but a remote attacker with network access can exploit it by sending malformed SFR fragments over 6LoWPAN. Because the code bypasses bounds checking, the attack requires only network connectivity and no authentication, giving the attacker broad potential impact.

Generated by OpenCVE AI on April 17, 2026 at 23:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a RIOT release that contains a fix for the 6LoWPAN out‑of‑bounds read once it becomes available.
  • Apply a temporary code change to the sixlowpan module that validates the packet length against the expected structure size before performing the cast, thereby preventing the out‑of‑bounds read.
  • Block or filter malformed 6LoWPAN fragments at the network border, or use a firewall that rejects packets with unexpected fragment lengths until a patch is applied.

Generated by OpenCVE AI on April 17, 2026 at 23:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:riot-os:riot:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H'}

Thu, 05 Feb 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Riot-os
Riot-os riot
Vendors & Products Riot-os
Riot-os riot

Wed, 04 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 18:00:00 +0000

Type Values Removed Values Added
Description RIOT is an open-source microcontroller operating system, designed to match the requirements of Internet of Things (IoT) devices and other embedded devices. In version 2025.10 and prior, multiple out-of-bounds read allow any unauthenticated user, with ability to send or manipulate input packets, to read adjacent memory locations, or crash a vulnerable device running the 6LoWPAN stack. The received packet is cast into a sixlowpan_sfr_rfrag_t struct and dereferenced without validating the packet is large enough to contain the struct object. At time of publication, no known patch exists.
Title RIOT Vulnerable to Multiple Out-of-Bounds Read When Processing Received 6LoWPAN SFR Fragments
Weaknesses CWE-125
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Riot-os Riot
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-04T19:29:55.053Z

Reserved: 2026-01-29T14:03:42.540Z

Link: CVE-2026-25139

cve-icon Vulnrichment

Updated: 2026-02-04T19:29:48.547Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-04T18:16:09.207

Modified: 2026-02-20T17:08:42.677

Link: CVE-2026-25139

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T23:30:15Z

Weaknesses