CVE-2026-27703
Stack-Based Buffer Overflow in RIOT coap_well_known_core Handler
Publication date: 2026-03-11
Last updated on: 2026-03-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| riot-os | riot | to 2026.01 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-27703 is an out-of-bounds write vulnerability in the nanoCoAP server implementation of RIOT-OS, affecting versions up to 2026.01. The issue occurs in the default handler for the well-known/core resource, where user-supplied option data and other information are written into a fixed-size buffer without checking if the buffer is large enough.
Specifically, the nanoCoAP server uses a fixed-size response buffer of 112 bytes. An attacker can send a CoAP packet with a header and extended token length exceeding this size. Although the packet is validated for correctness, there is no enforcement of maximum size limits on extended tokens or options.
During processing, the handler computes a pointer to the payload based on the header and extended token length without bounds checking. It then writes multiple bytes, including option data, to this pointer without validating buffer boundaries, causing out-of-bounds writes.
How can this vulnerability impact me? :
This vulnerability allows an attacker to corrupt adjacent stack memory, including security-critical data such as return addresses.
The impact can lead to denial of service or arbitrary code execution, which is especially severe in embedded systems like those running RIOT-OS that often lack memory protection mechanisms.
Users running the nanoCoAP server with the well-known/core resource enabled and exposed to untrusted clients are at risk, particularly when extended token length support is active.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring network traffic for CoAP packets with extended token lengths or options exceeding the fixed buffer size of 112 bytes used by the nanoCoAP server in RIOT-OS.
Specifically, detection involves identifying CoAP requests to the well-known/core resource that contain unusually large headers or extended tokens that could trigger out-of-bounds writes.
While no specific commands are provided in the resources, network packet inspection tools such as Wireshark or tcpdump can be used to capture and analyze CoAP traffic for oversized tokens or options.
- Use tcpdump to capture CoAP traffic: tcpdump -i <interface> udp port 5683 -w capture.pcap
- Analyze captured packets in Wireshark, filtering for CoAP requests to the well-known/core resource and inspecting token lengths and options.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the nanoCoAP server, especially the well-known/core resource, to trusted clients only.
Since no patched versions are available, it is important to implement network-level protections such as firewall rules to block untrusted or external CoAP traffic.
Additionally, disabling or limiting support for extended token lengths in CoAP requests, if configurable, can reduce the attack surface.
Monitoring for suspicious CoAP traffic and applying strict input validation on the server side when possible are also recommended.