CVE-2026-22213
Unknown Unknown - Not Provided
Stack-Based Buffer Overflow in RIOT OS tapslip6 Utility

Publication date: 2026-01-12

Last updated on: 2026-01-12

Assigner: VulnCheck

Description
RIOT OS versions up to and including 2026.01-devel-317 contain a stack-based buffer overflow vulnerability in the tapslip6 utility. The vulnerability is caused by unsafe string concatenation in the devopen() function, which constructs a device path using unbounded user-controlled input. The utility uses strcpy() and strcat() to concatenate the fixed prefix '/dev/' with a user-supplied device name provided via the -s command-line option without bounds checking. This allows an attacker to supply an excessively long device name and overflow a fixed-size stack buffer, leading to process crashes and memory corruption.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-12
Last Modified
2026-01-12
Generated
2026-06-16
AI Q&A
2026-01-13
EPSS Evaluated
2026-06-15
NVD
CVE-2026-22213
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
riot_os riot_os to 2026.01-devel-317 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-22213 is a stack-based buffer overflow vulnerability in the tapslip6 utility of RIOT OS versions up to 2026.01-devel-317. The vulnerability occurs because the devopen() function constructs a device path by concatenating the fixed prefix "/dev/" with a user-supplied device name from the -s command-line option using strcpy() and strcat() without any bounds checking. This allows an attacker to supply an excessively long device name that overflows a fixed-size 1024-byte stack buffer, causing memory corruption and process crashes. [1, 4]

Impact Analysis

This vulnerability can lead to process crashes and memory corruption in the tapslip6 utility. Since tapslip6 is often run with elevated privileges during development, testing, or deployment of RIOT OS networking environments, exploitation can cause denial of service or potentially more severe impacts depending on the context. Exploitation requires local access and user interaction. [1, 4]

Detection Guidance

This vulnerability can be detected by attempting to trigger the stack-based buffer overflow in the tapslip6 utility using an excessively long device name with the -s option. A proof-of-concept command to detect the vulnerability is: ./tapslip6 -s $(python3 - << 'EOF' print("A"*3000) EOF ) 10.0.0.1 255.255.255.0 This command passes a 3000-character string of "A"s as the device name, which triggers the overflow and can cause process crashes or memory corruption, confirming the presence of the vulnerability. [1]

Mitigation Strategies

Immediate mitigation steps include avoiding the use of the tapslip6 utility with untrusted or excessively long device name inputs via the -s option, especially in environments where tapslip6 runs with elevated privileges. Restrict local access to the system to prevent exploitation, and monitor for crashes or abnormal behavior of tapslip6. Applying patches or updates from RIOT OS that fix the unsafe string concatenation in devopen() is recommended once available. [1, 4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22213. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart