CVE-2025-66646 is a NULL pointer dereference vulnerability classified under CWE-476 found in the IPv6 fragmentation reassembly implementation of RIOT OS, an open-source operating system tailored for IoT and embedded devices. Specifically, when the system receives a fragmented IPv6 packet with a fragment offset of zero but an empty payload, the payload pointer is set to NULL. Despite this, the code attempts to copy the payload into the reassembly buffer, causing a NULL pointer dereference that crashes the OS, resulting in a denial of service. The vulnerability requires the gnrc_ipv6_ext_frag module to be enabled and an attacker capable of sending arbitrary IPv6 packets to the device. RIOT OS versions prior to 2025.10 are affected, with the vulnerability patched in version 2025.10. The CVSS 4.0 score is 1.7 (low severity), reflecting the limited impact and ease of exploitation without authentication or user interaction. No known exploits have been reported in the wild. This vulnerability primarily impacts availability by causing device crashes, which can disrupt IoT device operations and potentially affect larger systems relying on these devices.

For European organizations, the primary impact of this vulnerability is a denial of service on IoT and embedded devices running vulnerable versions of RIOT OS. This can lead to temporary loss of device functionality, which may disrupt critical infrastructure, industrial automation, smart city applications, and other IoT-dependent services. Given the increasing reliance on IoT devices in sectors such as manufacturing, energy, healthcare, and transportation across Europe, exploitation could degrade operational continuity and safety. Although the vulnerability does not allow for data theft or system compromise beyond DoS, the interruption of services could have cascading effects, especially in environments where IoT devices are integral to monitoring and control. The low CVSS score indicates limited risk, but targeted attacks on critical IoT deployments could still cause meaningful disruption.

The primary mitigation is to upgrade all RIOT OS deployments to version 2025.10 or later, where the vulnerability is fixed. Organizations should audit their IoT and embedded device inventories to identify devices running vulnerable RIOT OS versions. If upgrading is not immediately feasible, disabling the gnrc_ipv6_ext_frag module can prevent exploitation by removing the vulnerable IPv6 fragmentation reassembly functionality. Network-level controls should be implemented to restrict or filter incoming IPv6 traffic, especially from untrusted sources, to reduce exposure to crafted fragmented packets. Monitoring network traffic for unusual IPv6 fragmentation patterns can help detect attempted exploitation. Additionally, implementing segmentation and isolation of IoT devices limits the impact of any potential DoS. Regularly applying security updates and maintaining an asset management program for IoT devices is critical to prevent exploitation of such vulnerabilities.