CVE-2025-66646 is a vulnerability identified in the open-source RIOT OS, an operating system tailored for IoT and embedded devices. The issue resides in the IPv6 fragmentation reassembly implementation, specifically within the gnrc_ipv6_ext_frag module. When the system receives a fragmented IPv6 packet where the fragment offset is zero but the payload is empty, the payload pointer is set to NULL. Despite this, the code attempts to copy the payload into the reassembly buffer, leading to a NULL pointer dereference. This causes the operating system to crash, resulting in a denial of service condition. The vulnerability affects all RIOT OS versions prior to 2025.10, where the flaw has been fixed. Exploitation requires an attacker to send specially crafted IPv6 packets to the device, with no need for authentication or user interaction. The CVSS 4.0 score of 1.7 reflects the low impact, as the vulnerability only causes a crash without compromising confidentiality or integrity. No known exploits are currently in the wild. This vulnerability highlights the risks inherent in IPv6 packet processing in constrained IoT environments and the importance of robust input validation and error handling in embedded OS network stacks.

For European organizations deploying RIOT OS in IoT devices, this vulnerability could lead to denial of service conditions on affected devices. While the impact is limited to availability and does not affect confidentiality or integrity, DoS in IoT devices can disrupt critical services, especially in industrial control systems, smart city infrastructure, and healthcare monitoring devices. The ability to remotely trigger the crash without authentication increases the risk in environments where devices are exposed to untrusted IPv6 networks. However, the low CVSS score and lack of known exploits suggest the threat is currently limited. Organizations relying heavily on RIOT OS for critical IoT deployments in Europe should consider the potential operational disruptions and prioritize patching to maintain service continuity.

European organizations should immediately upgrade all RIOT OS deployments to version 2025.10 or later, where the vulnerability is patched. Network administrators should consider filtering or monitoring IPv6 fragmented packets, especially those with fragment offset zero and empty payloads, to detect or block suspicious traffic targeting the gnrc_ipv6_ext_frag module. Implementing network segmentation and limiting exposure of IoT devices to untrusted IPv6 networks can reduce attack surface. Additionally, organizations should audit their IoT device configurations to verify whether the vulnerable IPv6 fragmentation module is enabled and disable it if not required. Regular firmware and OS updates, combined with network-level anomaly detection tailored for IoT traffic patterns, will further mitigate risks from similar vulnerabilities.