RIOT OS: Unvalidated Buffer Writes Data into Stack

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

7.5

RIOT OS: Unvalidated Buffer Writes Data into Stack

CVE-2026-27703

Summary

If you're using RIOT OS versions 2026.01 or earlier, an attacker could potentially cause your IoT device to crash or run malicious code. This is a serious issue because it could allow an attacker to take control of your device. Update to the latest version of RIOT OS to fix the problem.

Original title

Original description

RIOT is an open-source microcontroller operating system, designed to match the requirements of Internet of Things (IoT) devices and other embedded devices. In 2026.01 and earlier, the default handler for the well_known_core resource coap_well_known_core_default_handler writes user-provided option data and other data into a fixed size buffer without validating the buffer is large enough to contain the response. This vulnerability allows an attacker to corrupt neighboring stack location, including security-sensitive addresses like the return address, leading to denial of service or arbitrary code execution.

nvd CVSS3.1 7.5

Vulnerability type

CWE-787 Out-of-bounds Write

https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-qgj4-9jff-93cj

Published: 11 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026