CVE-2026-14607
Received Received - Intake

Memory Corruption in RT-Thread via sys_getaddrinfo

Vulnerability report for CVE-2026-14607, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-03

Last updated on: 2026-07-03

Assigner: VulDB

Description

A weakness has been identified in RT-Thread up to 5.0.2. This affects the function sys_getaddrinfo of the file components/lwp/lwp_syscall.c. Executing a manipulation of the argument ai_addr can lead to memory corruption. The attack can only be executed locally. The exploit has been made available to the public and could be used for attacks. The pull request to fix this issue awaits acceptance.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-03
Last Modified
2026-07-03
Generated
2026-07-04
AI Q&A
2026-07-03
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
rt-thread rt-thread to 5.0.2 (inc)
rt-thread rt-thread 5.0.2

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The CVE-2026-14607 vulnerability is a security flaw in the sys_getaddrinfo function of the RT-Thread operating system. It arises because the system call improperly handles nested user pointers, specifically the ai_addr pointer inside the res structure. While the outer pointer is validated, the nested ai_addr pointer is not checked for validity before being dereferenced and written to by the kernel. This allows a local attacker to manipulate the ai_addr argument to cause memory corruption by redirecting kernel writes to arbitrary memory locations.

The vulnerability exists because the kernel writes the resolved socket address directly to the user-controlled nested pointer without verifying if the destination is valid user memory. This flaw can lead to unauthorized memory writes, crashes, or privilege escalation. The fix involves copying user inputs into kernel-owned buffers, validating nested pointers before use, and performing safe kernel-to-user memory operations.

Impact Analysis

This vulnerability can impact you by allowing a local attacker to cause memory corruption within the RT-Thread operating system. Specifically, an attacker can manipulate the nested ai_addr pointer to redirect kernel writes to arbitrary memory locations.

  • Potential unauthorized memory writes that could corrupt kernel memory.
  • Denial of service if invalid memory addresses are targeted, causing system crashes.
  • Possible privilege escalation if sensitive kernel memory is overwritten.

Since the attack requires local access and manipulation of syscall arguments, it is limited to local attackers with some level of access to the system.

Detection Guidance

This vulnerability is a local memory corruption issue in the sys_getaddrinfo system call of RT-Thread and cannot be detected directly via network monitoring since the attack must be executed locally.

Detection involves checking if the system is running a vulnerable version of RT-Thread (up to 5.0.2) with the affected sys_getaddrinfo implementation in components/lwp/lwp_syscall.c.

You can verify the RT-Thread version and presence of the vulnerable code by inspecting the system or firmware version.

Since the exploit involves manipulation of the ai_addr argument in sys_getaddrinfo, monitoring or auditing local calls to sys_getaddrinfo for unusual or malformed ai_addr pointers could help detect exploitation attempts.

No specific commands are provided in the resources, but general approaches include:

  • Checking RT-Thread version: use system commands or firmware inspection to confirm version <= 5.0.2.
  • Audit or trace local sys_getaddrinfo calls, possibly with debugging or syscall tracing tools available on the RT-Thread platform.
  • Look for crash logs or kernel oops messages that may indicate memory corruption related to sys_getaddrinfo.
Mitigation Strategies

Immediate mitigation involves preventing exploitation by restricting local unprivileged access to the sys_getaddrinfo system call or limiting the ability to manipulate the ai_addr argument.

Since the vulnerability requires local execution, controlling local user permissions and access is critical.

The definitive fix is to apply the patch that introduces stricter validation and isolation of user pointers in sys_getaddrinfo, as described in the pull request.

This fix copies user inputs into kernel-owned buffers, validates nested pointers like ai_addr before use, and uses safe user-copy helpers to prevent unauthorized memory writes.

Until the fix is accepted and deployed, consider:

  • Restricting local user access to the vulnerable RT-Thread system or disabling features that allow unprivileged calls to sys_getaddrinfo.
  • Monitoring for suspicious local activity or crashes related to sys_getaddrinfo.
  • Planning to update RT-Thread to a version including the patch once it is merged and released.
Compliance Impact

The vulnerability in RT-Thread's sys_getaddrinfo function allows local attackers to cause memory corruption by manipulating nested user pointers, potentially leading to unauthorized memory writes or denial of service.

While the CVE description and resources detail the technical impact and exploitability, there is no direct information on how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14607. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart