CVE-2026-27703
Received Received - Intake
Stack-Based Buffer Overflow in RIOT coap_well_known_core Handler

Publication date: 2026-03-11

Last updated on: 2026-03-16

Assigner: GitHub, Inc.

Description
RIOT is an open-source microcontroller operating system, designed to match the requirements of Internet of Things (IoT) devices and other embedded devices. In 2026.01 and earlier, the default handler for the well_known_core resource coap_well_known_core_default_handler writes user-provided option data and other data into a fixed size buffer without validating the buffer is large enough to contain the response. This vulnerability allows an attacker to corrupt neighboring stack location, including security-sensitive addresses like the return address, leading to denial of service or arbitrary code execution.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-03-16
Generated
2026-06-16
AI Q&A
2026-03-11
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27703
EUVD
EUVD-2026-11305
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
riot-os riot to 2026.01 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-27703 is an out-of-bounds write vulnerability in the nanoCoAP server implementation of RIOT-OS, affecting versions up to 2026.01. The issue occurs in the default handler for the well-known/core resource, where user-supplied option data and other information are written into a fixed-size buffer without checking if the buffer is large enough.

Specifically, the nanoCoAP server uses a fixed-size response buffer of 112 bytes. An attacker can send a CoAP packet with a header and extended token length exceeding this size. Although the packet is validated for correctness, there is no enforcement of maximum size limits on extended tokens or options.

During processing, the handler computes a pointer to the payload based on the header and extended token length without bounds checking. It then writes multiple bytes, including option data, to this pointer without validating buffer boundaries, causing out-of-bounds writes.

Impact Analysis

This vulnerability allows an attacker to corrupt adjacent stack memory, including security-critical data such as return addresses.

The impact can lead to denial of service or arbitrary code execution, which is especially severe in embedded systems like those running RIOT-OS that often lack memory protection mechanisms.

Users running the nanoCoAP server with the well-known/core resource enabled and exposed to untrusted clients are at risk, particularly when extended token length support is active.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by monitoring network traffic for CoAP packets with extended token lengths or options exceeding the fixed buffer size of 112 bytes used by the nanoCoAP server in RIOT-OS.

Specifically, detection involves identifying CoAP requests to the well-known/core resource that contain unusually large headers or extended tokens that could trigger out-of-bounds writes.

While no specific commands are provided in the resources, network packet inspection tools such as Wireshark or tcpdump can be used to capture and analyze CoAP traffic for oversized tokens or options.

  • Use tcpdump to capture CoAP traffic: tcpdump -i <interface> udp port 5683 -w capture.pcap
  • Analyze captured packets in Wireshark, filtering for CoAP requests to the well-known/core resource and inspecting token lengths and options.
Mitigation Strategies

Immediate mitigation steps include restricting access to the nanoCoAP server, especially the well-known/core resource, to trusted clients only.

Since no patched versions are available, it is important to implement network-level protections such as firewall rules to block untrusted or external CoAP traffic.

Additionally, disabling or limiting support for extended token lengths in CoAP requests, if configurable, can reduce the attack surface.

Monitoring for suspicious CoAP traffic and applying strict input validation on the server side when possible are also recommended.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27703. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart