CVE-2025-66647: CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') in RIOT-OS RIOT
RIOT is an open-source microcontroller operating system, designed to match the requirements of Internet of Things (IoT) devices and other embedded devices. A vulnerability was discovered in the IPv6 fragmentation reassembly implementation of RIOT OS v2025.07. When copying the contents of the first fragment (offset=0) into the reassembly buffer, no size check is performed. It is possible to force the creation of a small reassembly buffer by first sending a shorter fragment (also with offset=0). Overflowing the reassembly buffer corrupts the state of other packet buffers which an attacker might be able to used to achieve further memory corruption (potentially resulting in remote code execution). To trigger the vulnerability, the `gnrc_ipv6_ext_frag` module must be included and the attacker must be able to send arbitrary IPv6 packets to the victim. Version 2025.10 fixes the issue.
AI Analysis
Technical Summary
CVE-2025-66647 is a classic buffer overflow vulnerability (CWE-120) found in the IPv6 fragmentation reassembly implementation of RIOT-OS, an open-source operating system tailored for IoT and embedded devices. Specifically, when the system processes the first IPv6 fragment (offset=0), it copies the fragment's content into a reassembly buffer without verifying the fragment size against the buffer capacity. An attacker can exploit this by first sending a smaller fragment to create a small reassembly buffer, then sending a larger fragment to overflow this buffer. This overflow corrupts adjacent packet buffers, potentially enabling further memory corruption and remote code execution. The vulnerability requires the gnrc_ipv6_ext_frag module to be included in the build and the attacker to have the ability to send arbitrary IPv6 packets to the target device. The flaw affects all RIOT-OS versions before 2025.10, where the issue has been patched. The CVSS 4.0 score is 1.7, indicating low severity due to the need for network access, no privileges required, no user interaction, and limited impact on confidentiality, integrity, and availability. No public exploits or active attacks have been reported to date.
Potential Impact
For European organizations deploying IoT or embedded devices running vulnerable versions of RIOT-OS, this vulnerability could lead to memory corruption and potentially remote code execution on affected devices. This poses risks to the confidentiality and integrity of data processed by these devices and could disrupt device availability if exploited to cause crashes. Given the low CVSS score and the requirement for network-level IPv6 access, the threat is limited to environments where attackers can reach the vulnerable devices over IPv6 networks. However, in critical infrastructure sectors such as smart city deployments, industrial IoT, or healthcare devices that rely on RIOT-OS, exploitation could lead to operational disruptions or unauthorized control. The lack of known exploits reduces immediate risk, but the potential for remote code execution warrants timely patching to prevent future attacks.
Mitigation Recommendations
European organizations should ensure all RIOT-OS deployments are updated to version 2025.10 or later, where the vulnerability is fixed. Network segmentation should be employed to restrict IPv6 traffic to trusted sources, minimizing exposure to arbitrary packet injection. Disable the gnrc_ipv6_ext_frag module if IPv6 fragmentation reassembly is not required by the application to reduce the attack surface. Implement network monitoring to detect anomalous IPv6 fragmentation patterns that could indicate exploitation attempts. For devices in critical environments, consider additional endpoint protections such as memory protection mechanisms and runtime integrity checks. Regularly audit IoT device firmware versions and configurations to ensure compliance with security best practices. Finally, coordinate with device manufacturers and suppliers to verify patch deployment and vulnerability management.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy
CVE-2025-66647: CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') in RIOT-OS RIOT
Description
RIOT is an open-source microcontroller operating system, designed to match the requirements of Internet of Things (IoT) devices and other embedded devices. A vulnerability was discovered in the IPv6 fragmentation reassembly implementation of RIOT OS v2025.07. When copying the contents of the first fragment (offset=0) into the reassembly buffer, no size check is performed. It is possible to force the creation of a small reassembly buffer by first sending a shorter fragment (also with offset=0). Overflowing the reassembly buffer corrupts the state of other packet buffers which an attacker might be able to used to achieve further memory corruption (potentially resulting in remote code execution). To trigger the vulnerability, the `gnrc_ipv6_ext_frag` module must be included and the attacker must be able to send arbitrary IPv6 packets to the victim. Version 2025.10 fixes the issue.
AI-Powered Analysis
Technical Analysis
CVE-2025-66647 is a classic buffer overflow vulnerability (CWE-120) found in the IPv6 fragmentation reassembly implementation of RIOT-OS, an open-source operating system tailored for IoT and embedded devices. Specifically, when the system processes the first IPv6 fragment (offset=0), it copies the fragment's content into a reassembly buffer without verifying the fragment size against the buffer capacity. An attacker can exploit this by first sending a smaller fragment to create a small reassembly buffer, then sending a larger fragment to overflow this buffer. This overflow corrupts adjacent packet buffers, potentially enabling further memory corruption and remote code execution. The vulnerability requires the gnrc_ipv6_ext_frag module to be included in the build and the attacker to have the ability to send arbitrary IPv6 packets to the target device. The flaw affects all RIOT-OS versions before 2025.10, where the issue has been patched. The CVSS 4.0 score is 1.7, indicating low severity due to the need for network access, no privileges required, no user interaction, and limited impact on confidentiality, integrity, and availability. No public exploits or active attacks have been reported to date.
Potential Impact
For European organizations deploying IoT or embedded devices running vulnerable versions of RIOT-OS, this vulnerability could lead to memory corruption and potentially remote code execution on affected devices. This poses risks to the confidentiality and integrity of data processed by these devices and could disrupt device availability if exploited to cause crashes. Given the low CVSS score and the requirement for network-level IPv6 access, the threat is limited to environments where attackers can reach the vulnerable devices over IPv6 networks. However, in critical infrastructure sectors such as smart city deployments, industrial IoT, or healthcare devices that rely on RIOT-OS, exploitation could lead to operational disruptions or unauthorized control. The lack of known exploits reduces immediate risk, but the potential for remote code execution warrants timely patching to prevent future attacks.
Mitigation Recommendations
European organizations should ensure all RIOT-OS deployments are updated to version 2025.10 or later, where the vulnerability is fixed. Network segmentation should be employed to restrict IPv6 traffic to trusted sources, minimizing exposure to arbitrary packet injection. Disable the gnrc_ipv6_ext_frag module if IPv6 fragmentation reassembly is not required by the application to reduce the attack surface. Implement network monitoring to detect anomalous IPv6 fragmentation patterns that could indicate exploitation attempts. For devices in critical environments, consider additional endpoint protections such as memory protection mechanisms and runtime integrity checks. Regularly audit IoT device firmware versions and configurations to ensure compliance with security best practices. Finally, coordinate with device manufacturers and suppliers to verify patch deployment and vulnerability management.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-12-05T20:23:19.596Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 6943126ec9138a40d2ed3260
Added to database: 12/17/2025, 8:28:30 PM
Last enriched: 12/17/2025, 8:43:26 PM
Last updated: 12/18/2025, 3:53:41 AM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-14856: Code Injection in y_project RuoYi
MediumCVE-2025-14841: NULL Pointer Dereference in OFFIS DCMTK
MediumCVE-2025-14837: Code Injection in ZZCMS
MediumCVE-2025-14836: Cleartext Storage in a File or on Disk in ZZCMS
MediumCVE-2025-14834: SQL Injection in code-projects Simple Stock System
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.