CVE-2025-69209
Stack-Based Buffer Overflow in ArduinoCore-avr Enables Code Execution
Publication date: 2026-01-21
Last updated on: 2026-01-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| arduino | arduino_core_avr | to 1.8.7 (exc) |
| arduino | arduino_core_avr | 1.8.7 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-120 | The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-69209 is a stack-based buffer overflow vulnerability in the ArduinoCore-avr library affecting versions prior to 1.8.7. It occurs when converting floating-point values (float/double) to strings with very high precision. Specifically, by passing excessively large decimalPlaces values to the String constructors or concat methods, the dtostrf function writes beyond fixed-size stack buffers, causing memory corruption. This improper boundary checking during float/double to String conversion can lead to denial of service and, under certain conditions, arbitrary code execution on AVR-based Arduino boards. [1, 4]
How can this vulnerability impact me? :
This vulnerability can cause memory corruption and denial of service on affected Arduino AVR boards by overflowing stack buffers during floating-point to string conversions. In more severe cases, it could allow an attacker to execute arbitrary code on the device, potentially compromising the system's integrity and security. [4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is related to a stack-based buffer overflow in the ArduinoCore-avr library when converting floating-point values to strings with high precision. Detection involves checking if your system is running a vulnerable version of ArduinoCore-avr (prior to 1.8.7). There are no specific network detection commands provided. To detect the vulnerability on your system, verify the installed ArduinoCore-avr version. For example, you can check the version in your Arduino environment or inspect the library files. Since the vulnerability is triggered by passing very large decimalPlaces values to String constructors or concat methods, you can audit your code for such usage. No specific commands for runtime detection or network scanning are provided in the resources. [1, 4]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the ArduinoCore-avr library to version 1.8.7 or later, where the vulnerability has been fixed. The fix includes proper boundary checking of decimalPlaces values during floating-point to string conversions, preventing buffer overflows. You can obtain the patched version from the official ArduinoCore-avr repository release 1.8.7. Additionally, review your code to avoid passing excessively large decimalPlaces values to String constructors or concat methods until the update is applied. [2, 4]