{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22213", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-01-06T16:47:17.187Z", "datePublished": "2026-01-12T23:03:05.461Z", "dateUpdated": "2026-05-14T02:09:05.985Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "product": "RIOT OS", "repo": "https://github.com/RIOT-OS/RIOT", "vendor": "RIOT", "versions": [{"lessThanOrEqual": "2026.01-devel-317", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Ron Edgerson"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "RIOT OS versions up to and including 2026.01-devel-317 contain a stack-based buffer overflow vulnerability in the tapslip6 utility. The vulnerability is caused by unsafe string concatenation in the devopen() function, which constructs a device path using unbounded user-controlled input. The utility uses strcpy() and strcat() to concatenate the fixed prefix '/dev/' with a user-supplied device name provided via the -s command-line option without bounds checking. This allows an attacker to supply an excessively long device name and overflow a fixed-size stack buffer, leading to process crashes and memory corruption."}], "value": "RIOT OS versions up to and including 2026.01-devel-317 contain a stack-based buffer overflow vulnerability in the tapslip6 utility. The vulnerability is caused by unsafe string concatenation in the devopen() function, which constructs a device path using unbounded user-controlled input. The utility uses strcpy() and strcat() to concatenate the fixed prefix '/dev/' with a user-supplied device name provided via the -s command-line option without bounds checking. This allows an attacker to supply an excessively long device name and overflow a fixed-size stack buffer, leading to process crashes and memory corruption."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "baseScore": 2.4, "baseSeverity": "LOW", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-121", "description": "CWE-121 Stack-based Buffer Overflow", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-05-14T02:09:05.985Z"}, "references": [{"tags": ["technical-description", "exploit"], "url": "https://seclists.org/fulldisclosure/2026/Jan/15"}, {"tags": ["product"], "url": "https://www.riot-os.org/"}, {"tags": ["product"], "url": "https://github.com/RIOT-OS/RIOT"}, {"tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/riot-os-stack-based-buffer-overflow-in-tapslip6-utility"}], "source": {"discovery": "UNKNOWN"}, "title": "RIOT OS <= 2026.01-devel-317 Stack-Based Buffer Overflow in tapslip6 Utility", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-13T18:37:33.649371Z", "id": "CVE-2026-22213", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-13T18:37:41.785Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22213", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-13T18:37:33.649371Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-13T18:37:37.279Z"}}], "cna": {"title": "RIOT OS <= 2026.01-devel-317 Stack-Based Buffer Overflow in tapslip6 Utility", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Ron Edgerson"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 2.4, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/RIOT-OS/RIOT", "vendor": "RIOT", "product": "RIOT OS", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2026.01-devel-317"}], "defaultStatus": "unknown"}], "references": [{"url": "https://seclists.org/fulldisclosure/2026/Jan/15", "tags": ["technical-description", "exploit"]}, {"url": "https://www.riot-os.org/", "tags": ["product"]}, {"url": "https://github.com/RIOT-OS/RIOT", "tags": ["product"]}, {"url": "https://www.vulncheck.com/advisories/riot-os-stack-based-buffer-overflow-in-tapslip6-utility", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "RIOT OS versions up to and including 2026.01-devel-317 contain a stack-based buffer overflow vulnerability in the tapslip6 utility. The vulnerability is caused by unsafe string concatenation in the devopen() function, which constructs a device path using unbounded user-controlled input. The utility uses strcpy() and strcat() to concatenate the fixed prefix '/dev/' with a user-supplied device name provided via the -s command-line option without bounds checking. This allows an attacker to supply an excessively long device name and overflow a fixed-size stack buffer, leading to process crashes and memory corruption.", "supportingMedia": [{"type": "text/html", "value": "RIOT OS versions up to and including 2026.01-devel-317 contain a stack-based buffer overflow vulnerability in the tapslip6 utility. The vulnerability is caused by unsafe string concatenation in the devopen() function, which constructs a device path using unbounded user-controlled input. The utility uses strcpy() and strcat() to concatenate the fixed prefix '/dev/' with a user-supplied device name provided via the -s command-line option without bounds checking. This allows an attacker to supply an excessively long device name and overflow a fixed-size stack buffer, leading to process crashes and memory corruption.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-121", "description": "CWE-121 Stack-based Buffer Overflow"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-05-14T02:09:05.985Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22213", "state": "PUBLISHED", "dateUpdated": "2026-05-14T02:09:05.985Z", "dateReserved": "2026-01-06T16:47:17.187Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-01-12T23:03:05.461Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:riot-os:riot:*:*:*:*:*:*:*:*", "matchCriteriaId": "3EE45C18-0705-45D6-9363-63017333DFF1", "versionEndExcluding": "2025.10", "vulnerable": true}, {"criteria": "cpe:2.3:o:riot-os:riot:2026.01:devel:*:*:*:*:*:*", "matchCriteriaId": "51045419-7276-4017-8857-04DDBF865A1F", "vulnerable": true}, {"criteria": "cpe:2.3:o:riot-os:riot:2026.01:rc1:*:*:*:*:*:*", "matchCriteriaId": "D10D5F2C-4666-4D21-AED8-BE67DF223745", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "RIOT OS versions up to and including 2026.01-devel-317 contain a stack-based buffer overflow vulnerability in the tapslip6 utility. The vulnerability is caused by unsafe string concatenation in the devopen() function, which constructs a device path using unbounded user-controlled input. The utility uses strcpy() and strcat() to concatenate the fixed prefix '/dev/' with a user-supplied device name provided via the -s command-line option without bounds checking. This allows an attacker to supply an excessively long device name and overflow a fixed-size stack buffer, leading to process crashes and memory corruption."}], "id": "CVE-2026-22213", "lastModified": "2026-01-21T17:44:38.543", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.4, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-01-12T23:15:52.300", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Product"], "url": "https://github.com/RIOT-OS/RIOT"}, {"source": "disclosure@vulncheck.com", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "url": "https://seclists.org/fulldisclosure/2026/Jan/15"}, {"source": "disclosure@vulncheck.com", "tags": ["Product"], "url": "https://www.riot-os.org/"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://www.vulncheck.com/advisories/riot-os-stack-based-buffer-overflow-in-tapslip6-utility"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-121"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T06:53:07.131081+00:00", "value": {"mitigation_remediation": ["Upgrade RIOT OS to a version released after 2026.01\u2011devel\u2011317 that contains the fix for tapslip6", "If upgrading is not immediately possible, restrict the tapslip6 executable to trusted users only and run it under the least privileges required", "As a temporary workaround, modify the devopen function to use bounded string operations, such as strncpy or strncat, or validate the device name length before copying"], "summary": {"action": "Assess Impact", "impact": "Local memory corruption that could lead to crash or code execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects RIOT OS versions up through and including 2026.01\u2011devel\u2011317. All builds that contain the tapslip6 utility in those releases are susceptible, because the unsafe construction of the device path is present in the source code for that utility. Only the devopen implementation in those versions is impacted; newer releases released after this date have the fix applied.", "description_and_impact": "A stack-based buffer overflow in the RIOT OS tapslip6 utility arises from unsafe string concatenation in the devopen function. The function builds a device path by concatenating the constant prefix \"/dev/\" with a user-supplied device name passed via the \u2013s command\u2011line option using strcpy() and strcat() without bounds checking. This flaw allows an attacker to supply a device name that exceeds the fixed\u2011size stack buffer, corrupting memory and causing the utility to crash. In the worst case, the memory corruption could be leveraged to execute arbitrary code with the privileges of the user running tapslip6.", "risk_and_exploitability": "The CVSS score is 2.4, indicating low severity, and the EPSS score is below 1\u2009%, suggesting a very low probability of exploitation. The vulnerability is not listed in CISA\u2019s KEV catalog. Attackers would need local access to run the tapslip6 binary and the ability to provide a long \u2013s argument, so the risk is limited to systems where the utility is installed and usable. Because the flaw can lead to memory corruption, trusting only authorized users and applying safer string handling could contain the damage."}}}}, "created": "2026-01-13T09:27:21.637663+00:00", "updated": "2026-04-18T07:00:11.349447+00:00", "vendors": ["riot-os", "riot-os$PRODUCT$riot"]}