CVE-2025-66647
Published: 17 December 2025
Description
RIOT is an open-source microcontroller operating system, designed to match the requirements of Internet of Things (IoT) devices and other embedded devices. A vulnerability was discovered in the IPv6 fragmentation reassembly implementation of RIOT OS v2025.07. When copying the contents…
more
of the first fragment (offset=0) into the reassembly buffer, no size check is performed. It is possible to force the creation of a small reassembly buffer by first sending a shorter fragment (also with offset=0). Overflowing the reassembly buffer corrupts the state of other packet buffers which an attacker might be able to used to achieve further memory corruption (potentially resulting in remote code execution). To trigger the vulnerability, the `gnrc_ipv6_ext_frag` module must be included and the attacker must be able to send arbitrary IPv6 packets to the victim. Version 2025.10 fixes the issue.
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the buffer overflow by requiring timely remediation through upgrading RIOT OS to version 2025.10 or later where the flaw is fixed.
Addresses the root cause by enforcing validation of IPv6 fragment sizes and offsets before copying into reassembly buffers, preventing overflows.
Provides memory protections such as non-executable regions or stack guards to limit exploitation of the buffer overflow into remote code execution.
Security SummaryAI
CVE-2025-66647 is a buffer overflow vulnerability (CWE-120) in the IPv6 fragmentation reassembly implementation of RIOT OS version 2025.07, an open-source operating system for Internet of Things (IoT) and embedded devices. The issue resides in the `gnrc_ipv6_ext_frag` module, where copying the contents of the first fragment (with offset=0) into the reassembly buffer lacks a size check. An attacker can force the creation of a small reassembly buffer by sending a shorter initial fragment (also offset=0), enabling subsequent overflow that corrupts adjacent packet buffers.
Any remote attacker with the ability to send arbitrary IPv6 packets to a victim device—including the `gnrc_ipv6_ext_frag` module—can exploit this vulnerability. By manipulating fragment sizes, the attacker triggers buffer overflow, leading to memory corruption of other packet buffers. This can potentially result in further memory corruption or remote code execution, as indicated by the CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
RIOT OS version 2025.10 addresses the vulnerability with a fix, as detailed in the release notes. The affected code lines are documented in the RIOT GitHub repository at lines 411, 481, 532, and 544 of `sys/net/gnrc/network_layer/ipv6/ext/frag/gnrc_ipv6_ext_frag.c`. Security practitioners should ensure devices upgrade to 2025.10 or later and verify if the module is enabled in their builds.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remotely exploitable buffer overflow in the IPv6 network stack of RIOT OS, directly enabling exploitation of a public-facing network service for memory corruption or RCE.