Cyber Posture

CVE-2026-25139

CriticalPublic PoC

Published: 04 February 2026

Published
04 February 2026
Modified
20 February 2026
KEV Added
Patch
CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
EPSS Score 0.0021 42.9th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

RIOT is an open-source microcontroller operating system, designed to match the requirements of Internet of Things (IoT) devices and other embedded devices. In version 2025.10 and prior, multiple out-of-bounds read allow any unauthenticated user, with ability to send or manipulate…

more

input packets, to read adjacent memory locations, or crash a vulnerable device running the 6LoWPAN stack. The received packet is cast into a sixlowpan_sfr_rfrag_t struct and dereferenced without validating the packet is large enough to contain the struct object. At time of publication, no known patch exists.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

SI-10 requires validation of information inputs like packet size before dereferencing, directly preventing the out-of-bounds read in the 6LoWPAN stack.

SI-11 Error Handling good match
prevent

SI-11 ensures error handling for out-of-bounds conditions generates no exploitable information, mitigating info disclosure and crash exploitation from invalid packets.

SI-16 Memory Protection partial match
prevent

SI-16 implements memory safeguards to restrict unauthorized access to adjacent memory locations targeted by the out-of-bounds read.

Security SummaryAI

CVE-2026-25139 affects RIOT, an open-source operating system designed for microcontrollers in Internet of Things (IoT) devices and other embedded systems. Versions 2025.10 and prior are vulnerable to multiple out-of-bounds read flaws in the 6LoWPAN stack. The issue arises when a received packet is cast into a sixlowpan_sfr_rfrag_t struct and dereferenced without first validating that the packet is large enough to contain the struct, classified under CWE-125 (Out-of-bounds Read).

Any unauthenticated attacker capable of sending or manipulating input packets can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L), no privileges (PR:N), and no user interaction (UI:N) required. Exploitation enables reading of adjacent memory locations, potentially disclosing sensitive information (C:H), or crashing the device (A:H), resulting in denial-of-service. The CVSS v3.1 base score is 9.1 (S:U).

The GitHub security advisory (GHSA-c8fh-23qr-97mc), published on 2026-02-04, states that no known patch exists at the time of publication.

Details

CWE(s)
CWE-125

Affected Products

riot-os
riot
≤ 2025.10

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Unauthenticated remote exploitation over the network of the public-facing 6LoWPAN stack enables endpoint DoS via application/system exploitation (T1499.004) by crashing the device and exploit public-facing application (T1190) for potential info disclosure or disruption.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References