CVE-2026-22214

EUVD-2026-2395

12.01.2026, 23:15

RIOT OS versions up to and including 2026.01-devel-317 contain a stack-based buffer overflow vulnerability in the ethos utility due to missing bounds checking when processing incoming serial frame data. The vulnerability occurs in the _handle_char() function, where incoming frame bytes are appended to a fixed-size stack buffer without verifying that the current write index remains within bounds. An attacker capable of sending crafted serial or TCP-framed input can cause the current write index to exceed the buffer size, resulting in a write past the end of the stack buffer. This condition leads to memory corruption and application crash.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 17%

Affected Products (NVD)

Vendor	Product	Version
riot-os	riot	𝑥 < 2025.10
riot-os	riot	2026.01:devel
riot-os	riot	2026.01:rc1

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-121 - Stack-based Buffer Overflow
A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).

References

https://github.com/RIOT-OS/RIOT

https://seclists.org/fulldisclosure/2026/Jan/16

https://www.riot-os.org/

https://www.vulncheck.com/advisories/riot-os-stack-based-buffer-overflow-in-ethos-serial-frame-parser