CVE-2025-66646
NULL Pointer Dereference in RIOT OS IPv6 Fragmentation Causes DoS
Publication date: 2025-12-17
Last updated on: 2025-12-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| riot | riot_os | 2025.07 |
| riot | riot_os | 2025.10 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the IPv6 fragmentation reassembly implementation of RIOT OS version 2025.07 and earlier. When the system receives a fragmented IPv6 packet with a fragment offset of 0 and an empty payload, the payload pointer is set to NULL. However, the code does not check for this NULL pointer before attempting to copy the payload into the reassembly buffer, which leads to a NULL pointer dereference and causes the operating system to crash, resulting in a Denial of Service (DoS). The vulnerability requires the gnrc_ipv6_ext_frag module to be enabled and an attacker capable of sending arbitrary IPv6 packets to the device. The issue is fixed in RIOT OS version 2025.10 by adding an early check to reject empty fragments before processing. [3, 2]
How can this vulnerability impact me? :
The vulnerability can cause the RIOT OS to crash due to a NULL pointer dereference when processing specially crafted IPv6 fragmented packets. This results in a Denial of Service (DoS), making the affected IoT or embedded device unavailable or unresponsive until it is restarted or recovered. An attacker who can send arbitrary IPv6 packets to the device can exploit this to disrupt its operation. [3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for crashes or Denial of Service events in RIOT OS devices running versions 2025.07 or earlier with the gnrc_ipv6_ext_frag module enabled. Detection involves identifying if the device is receiving fragmented IPv6 packets with fragment offset 0 and empty payloads that cause NULL pointer dereferences. A practical approach is to capture and analyze IPv6 fragmented packets on the network, especially those with fragment offset 0 and payload length matching the fragmentation header size (8 bytes). Using packet capture tools like tcpdump or Wireshark on the network interface connected to the device can help detect suspicious fragmented IPv6 packets. For example, a command to capture such packets could be: tcpdump -i <interface> 'ip6[6] == 44 and ip6[40] == 0' where ip6[6] == 44 filters IPv6 fragmentation headers and ip6[40] == 0 filters fragment offset 0. Additionally, testing with a crafted exploit script (as referenced in Resource 3) that sends two fragmented IPv6 packets with offset 0, the first with an empty payload, can confirm the vulnerability presence by causing a crash. [3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade RIOT OS to version 2025.10 or later, where this vulnerability is fixed by adding checks to reject empty IPv6 fragments early in the reassembly process. If upgrading is not immediately possible, disabling the gnrc_ipv6_ext_frag module (IPv6 fragmentation reassembly) can prevent the vulnerability from being triggered, although this may impact IPv6 fragmentation support. Additionally, restricting or filtering incoming IPv6 fragmented packets from untrusted sources at the network perimeter can reduce exposure. Applying network-level controls to block or drop suspicious fragmented IPv6 packets with fragment offset 0 and empty payloads can help mitigate attacks until the system is patched. [2, 3]