RIOT OS versions up to and including 2026.01-devel-317 contain a stack-based buffer overflow vulnerability in the tapslip6 utility. The vulnerability is caused by unsafe string concatenation in the devopen() function, which constructs a device path using unbounded user-controlled input. The utility uses strcpy() and strcat() to concatenate the fixed prefix '/dev/' with a user-supplied device name provided via the -s command-line option without bounds checking. This allows an attacker to supply an excessively long device name and overflow a fixed-size stack buffer, leading to process crashes and memory corruption.
References
| Link | Resource |
|---|---|
| https://github.com/RIOT-OS/RIOT | Product |
| https://seclists.org/fulldisclosure/2026/Jan/15 | Exploit Mailing List Third Party Advisory |
| https://www.riot-os.org/ | Product |
| https://www.vulncheck.com/advisories/riot-os-stack-based-buffer-overflow-in-tapslip6-utility | Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
21 Jan 2026, 17:44
| Type | Values Removed | Values Added |
|---|---|---|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
| First Time |
Riot-os
Riot-os riot |
|
| CPE | cpe:2.3:o:riot-os:riot:*:*:*:*:*:*:*:* cpe:2.3:o:riot-os:riot:2026.01:devel:*:*:*:*:*:* cpe:2.3:o:riot-os:riot:2026.01:rc1:*:*:*:*:*:* |
|
| References | () https://github.com/RIOT-OS/RIOT - Product | |
| References | () https://seclists.org/fulldisclosure/2026/Jan/15 - Exploit, Mailing List, Third Party Advisory | |
| References | () https://www.riot-os.org/ - Product | |
| References | () https://www.vulncheck.com/advisories/riot-os-stack-based-buffer-overflow-in-tapslip6-utility - Third Party Advisory |
12 Jan 2026, 23:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-01-12 23:15
Updated : 2026-01-21 17:44
NVD link : CVE-2026-22213
Mitre link : CVE-2026-22213
CVE.ORG link : CVE-2026-22213
JSON object : View
Products Affected
riot-os
- riot
CWE
CWE-121
Stack-based Buffer Overflow