CVE-2025-69209
Unknown Unknown - Not Provided
Stack-Based Buffer Overflow in ArduinoCore-avr Enables Code Execution

Publication date: 2026-01-21

Last updated on: 2026-01-21

Assigner: GitHub, Inc.

Description
ArduinoCore-avr contains the source code and configuration files of the Arduino AVR Boards platform. A vulnerability in versions prior to 1.8.7 allows an attacker to trigger a stack-based buffer overflow when converting floating-point values to strings with high precision. By passing very large `decimalPlaces` values to the affected String constructors or concat methods, the `dtostrf` function writes beyond fixed-size stack buffers, causing memory corruption and denial of service. Under specific conditions, this could enable arbitrary code execution on AVR-based Arduino boards. ### Patches - The Fix is included starting from the `1.8.7` release available from the following link [ArduinoCore-avr v1.8.7](https://github.com/arduino/ArduinoCore-avr) - The Fixing Commit is available at the following link [1a6a417f89c8901dad646efce74ae9d3ddebfd59](https://github.com/arduino/ArduinoCore-avr/pull/613/commits/1a6a417f89c8901dad646efce74ae9d3ddebfd59) ### References - [ASEC-26-001 ArduinoCore-avr vXXXX Resolves Buffer Overflow Vulnerability](https://support.arduino.cc/hc/en-us/articles/XXXXX) ### Credits - Maxime Rossi Bellom and Ramtine Tofighi Shirazi from SecMate (https://secmate.dev/)
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-21
Last Modified
2026-01-21
Generated
2026-06-16
AI Q&A
2026-01-21
EPSS Evaluated
2026-06-15
NVD
CVE-2025-69209
EUVD
EUVD-2025-206313
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
arduino arduino_core_avr to 1.8.7 (exc)
arduino arduino_core_avr 1.8.7
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-120 The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-69209 is a stack-based buffer overflow vulnerability in the ArduinoCore-avr library affecting versions prior to 1.8.7. It occurs when converting floating-point values (float/double) to strings with very high precision. Specifically, by passing excessively large decimalPlaces values to the String constructors or concat methods, the dtostrf function writes beyond fixed-size stack buffers, causing memory corruption. This improper boundary checking during float/double to String conversion can lead to denial of service and, under certain conditions, arbitrary code execution on AVR-based Arduino boards. [1, 4]

Impact Analysis

This vulnerability can cause memory corruption and denial of service on affected Arduino AVR boards by overflowing stack buffers during floating-point to string conversions. In more severe cases, it could allow an attacker to execute arbitrary code on the device, potentially compromising the system's integrity and security. [4]

Detection Guidance

This vulnerability is related to a stack-based buffer overflow in the ArduinoCore-avr library when converting floating-point values to strings with high precision. Detection involves checking if your system is running a vulnerable version of ArduinoCore-avr (prior to 1.8.7). There are no specific network detection commands provided. To detect the vulnerability on your system, verify the installed ArduinoCore-avr version. For example, you can check the version in your Arduino environment or inspect the library files. Since the vulnerability is triggered by passing very large decimalPlaces values to String constructors or concat methods, you can audit your code for such usage. No specific commands for runtime detection or network scanning are provided in the resources. [1, 4]

Mitigation Strategies

The immediate mitigation step is to update the ArduinoCore-avr library to version 1.8.7 or later, where the vulnerability has been fixed. The fix includes proper boundary checking of decimalPlaces values during floating-point to string conversions, preventing buffer overflows. You can obtain the patched version from the official ArduinoCore-avr repository release 1.8.7. Additionally, review your code to avoid passing excessively large decimalPlaces values to String constructors or concat methods until the update is applied. [2, 4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-69209. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart