CVE-2026-22213
Stack-Based Buffer Overflow in RIOT OS tapslip6 Utility
Publication date: 2026-01-12
Last updated on: 2026-01-12
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| riot_os | riot_os | to 2026.01-devel-317 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-22213 is a stack-based buffer overflow vulnerability in the tapslip6 utility of RIOT OS versions up to 2026.01-devel-317. The vulnerability occurs because the devopen() function constructs a device path by concatenating the fixed prefix "/dev/" with a user-supplied device name from the -s command-line option using strcpy() and strcat() without any bounds checking. This allows an attacker to supply an excessively long device name that overflows a fixed-size 1024-byte stack buffer, causing memory corruption and process crashes. [1, 4]
How can this vulnerability impact me? :
This vulnerability can lead to process crashes and memory corruption in the tapslip6 utility. Since tapslip6 is often run with elevated privileges during development, testing, or deployment of RIOT OS networking environments, exploitation can cause denial of service or potentially more severe impacts depending on the context. Exploitation requires local access and user interaction. [1, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to trigger the stack-based buffer overflow in the tapslip6 utility using an excessively long device name with the -s option. A proof-of-concept command to detect the vulnerability is: ./tapslip6 -s $(python3 - << 'EOF' print("A"*3000) EOF ) 10.0.0.1 255.255.255.0 This command passes a 3000-character string of "A"s as the device name, which triggers the overflow and can cause process crashes or memory corruption, confirming the presence of the vulnerability. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding the use of the tapslip6 utility with untrusted or excessively long device name inputs via the -s option, especially in environments where tapslip6 runs with elevated privileges. Restrict local access to the system to prevent exploitation, and monitor for crashes or abnormal behavior of tapslip6. Applying patches or updates from RIOT OS that fix the unsafe string concatenation in devopen() is recommended once available. [1, 4]