Description
RIOT is an open-source microcontroller operating system, designed to match the requirements of Internet of Things (IoT) devices and other embedded devices. In 2026.01 and earlier, the default handler for the well_known_core resource coap_well_known_core_default_handler writes user-provided option data and other data into a fixed size buffer without validating the buffer is large enough to contain the response. This vulnerability allows an attacker to corrupt neighboring stack location, including security-sensitive addresses like the return address, leading to denial of service or arbitrary code execution.
Published: 2026-03-11
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Code Execution
Action: Immediate Patch
AI Analysis

Impact

An out-of-bounds write bug exists in RIOT‑OS 2026.01 and earlier within the default coap_well_known_core handler. The handler directs user-supplied CoAP option data into a fixed-size buffer without validating that the buffer can hold the response. This flaw can corrupt adjacent stack memory, including sensitive addresses such as the return pointer, enabling an attacker to trigger denial of service or execute arbitrary code on the device. The weakness is classified as CWE‑787 Consumer Input Validation failure leading to out-of-bounds write.

Affected Systems

Affected products include the RIOT‑OS operating system released up to and including version 2026.01. No other versions or products are listed as impacted, and the vulnerability is specific to the nanoCoAP handler within RIOT‑OS.

Risk and Exploitability

With a CVSS score of 7.5 the vulnerability is considered high severity. EPSS indicates an exploitation probability of less than 1%, and it is not listed in the CISA KEV catalogue, suggesting no publicly known exploits. The likely attack vector requires an attacker that can send crafted CoAP requests to the device; the vulnerability relies on leaking data through the CoAP protocol on a network where the device is reachable. While exploitation may demand some effort to correctly format the oversized option data, the absence of additional authentication or input checks lowers the barrier for an attacker with network access to the target.

Generated by OpenCVE AI on March 16, 2026 at 23:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor-proposed patch or upgrade to a newer RIOT-OS release that contains the fix (see the GitHub advisory GHSA-qgj4-9jff-93cj).
  • If an immediate patch is not available, restrict exposure of the coap_well_known_core resource by disabling it or limiting access to trusted networks only.
  • As a temporary measure, block unauthenticated CoAP traffic to the device using firewall rules or network segmentation.
  • Monitor device logs for unusually large CoAP option fields or abnormal request patterns that may indicate exploitation attempts.

Generated by OpenCVE AI on March 16, 2026 at 23:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:riot-os:riot:*:*:*:*:*:*:*:*

Thu, 12 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Riot-os
Riot-os riot
Vendors & Products Riot-os
Riot-os riot

Wed, 11 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Description RIOT is an open-source microcontroller operating system, designed to match the requirements of Internet of Things (IoT) devices and other embedded devices. In 2026.01 and earlier, the default handler for the well_known_core resource coap_well_known_core_default_handler writes user-provided option data and other data into a fixed size buffer without validating the buffer is large enough to contain the response. This vulnerability allows an attacker to corrupt neighboring stack location, including security-sensitive addresses like the return address, leading to denial of service or arbitrary code execution.
Title RIOT has an Out-of-Bounds Write in nanoCoAP Handler
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Riot-os Riot
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-12T19:53:21.857Z

Reserved: 2026-02-23T17:56:51.202Z

Link: CVE-2026-27703

cve-icon Vulnrichment

Updated: 2026-03-12T19:53:18.962Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T20:16:14.990

Modified: 2026-03-16T20:19:49.037

Link: CVE-2026-27703

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T09:55:16Z

Weaknesses