{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22214", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-01-06T16:47:17.187Z", "datePublished": "2026-01-12T23:03:23.393Z", "dateUpdated": "2026-05-14T02:09:06.739Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "product": "RIOT OS", "repo": "https://github.com/RIOT-OS/RIOT", "vendor": "RIOT", "versions": [{"lessThanOrEqual": "2026.01-devel-317", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Ron Edgerson"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "RIOT OS versions up to and including 2026.01-devel-317 contain a stack-based buffer overflow vulnerability in the ethos utility due to missing bounds checking when processing incoming serial frame data. The vulnerability occurs in the _handle_char() function, where incoming frame bytes are appended to a fixed-size stack buffer without verifying that the current write index remains within bounds. An attacker capable of sending crafted serial or TCP-framed input can cause the current write index to exceed the buffer size, resulting in a write past the end of the stack buffer. This condition leads to memory corruption and application crash."}], "value": "RIOT OS versions up to and including 2026.01-devel-317 contain a stack-based buffer overflow vulnerability in the ethos utility due to missing bounds checking when processing incoming serial frame data. The vulnerability occurs in the _handle_char() function, where incoming frame bytes are appended to a fixed-size stack buffer without verifying that the current write index remains within bounds. An attacker capable of sending crafted serial or TCP-framed input can cause the current write index to exceed the buffer size, resulting in a write past the end of the stack buffer. This condition leads to memory corruption and application crash."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 6.8, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-121", "description": "CWE-121 Stack-based Buffer Overflow", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-05-14T02:09:06.739Z"}, "references": [{"tags": ["technical-description", "exploit"], "url": "https://seclists.org/fulldisclosure/2026/Jan/16"}, {"tags": ["product"], "url": "https://www.riot-os.org/"}, {"tags": ["product"], "url": "https://github.com/RIOT-OS/RIOT"}, {"tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/riot-os-stack-based-buffer-overflow-in-ethos-serial-frame-parser"}], "source": {"discovery": "UNKNOWN"}, "title": "RIOT OS <= 2026.01-devel-317 Stack-Based Buffer Overflow in ethos Serial Frame Parser", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-13T18:50:33.856751Z", "id": "CVE-2026-22214", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-13T18:50:40.171Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22214", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-13T18:50:33.856751Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-13T18:50:37.755Z"}}], "cna": {"title": "RIOT OS <= 2026.01-devel-317 Stack-Based Buffer Overflow in ethos Serial Frame Parser", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Ron Edgerson"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.8, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/RIOT-OS/RIOT", "vendor": "RIOT", "product": "RIOT OS", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2026.01-devel-317"}], "defaultStatus": "unknown"}], "references": [{"url": "https://seclists.org/fulldisclosure/2026/Jan/16", "tags": ["technical-description", "exploit"]}, {"url": "https://www.riot-os.org/", "tags": ["product"]}, {"url": "https://github.com/RIOT-OS/RIOT", "tags": ["product"]}, {"url": "https://www.vulncheck.com/advisories/riot-os-stack-based-buffer-overflow-in-ethos-serial-frame-parser", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "RIOT OS versions up to and including 2026.01-devel-317 contain a stack-based buffer overflow vulnerability in the ethos utility due to missing bounds checking when processing incoming serial frame data. The vulnerability occurs in the _handle_char() function, where incoming frame bytes are appended to a fixed-size stack buffer without verifying that the current write index remains within bounds. An attacker capable of sending crafted serial or TCP-framed input can cause the current write index to exceed the buffer size, resulting in a write past the end of the stack buffer. This condition leads to memory corruption and application crash.", "supportingMedia": [{"type": "text/html", "value": "RIOT OS versions up to and including 2026.01-devel-317 contain a stack-based buffer overflow vulnerability in the ethos utility due to missing bounds checking when processing incoming serial frame data. The vulnerability occurs in the _handle_char() function, where incoming frame bytes are appended to a fixed-size stack buffer without verifying that the current write index remains within bounds. An attacker capable of sending crafted serial or TCP-framed input can cause the current write index to exceed the buffer size, resulting in a write past the end of the stack buffer. This condition leads to memory corruption and application crash.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-121", "description": "CWE-121 Stack-based Buffer Overflow"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-05-14T02:09:06.739Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22214", "state": "PUBLISHED", "dateUpdated": "2026-05-14T02:09:06.739Z", "dateReserved": "2026-01-06T16:47:17.187Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-01-12T23:03:23.393Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:riot-os:riot:*:*:*:*:*:*:*:*", "matchCriteriaId": "3EE45C18-0705-45D6-9363-63017333DFF1", "versionEndExcluding": "2025.10", "vulnerable": true}, {"criteria": "cpe:2.3:o:riot-os:riot:2026.01:devel:*:*:*:*:*:*", "matchCriteriaId": "51045419-7276-4017-8857-04DDBF865A1F", "vulnerable": true}, {"criteria": "cpe:2.3:o:riot-os:riot:2026.01:rc1:*:*:*:*:*:*", "matchCriteriaId": "D10D5F2C-4666-4D21-AED8-BE67DF223745", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "RIOT OS versions up to and including 2026.01-devel-317 contain a stack-based buffer overflow vulnerability in the ethos utility due to missing bounds checking when processing incoming serial frame data. The vulnerability occurs in the _handle_char() function, where incoming frame bytes are appended to a fixed-size stack buffer without verifying that the current write index remains within bounds. An attacker capable of sending crafted serial or TCP-framed input can cause the current write index to exceed the buffer size, resulting in a write past the end of the stack buffer. This condition leads to memory corruption and application crash."}], "id": "CVE-2026-22214", "lastModified": "2026-01-21T17:43:51.967", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-01-12T23:15:52.453", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Product"], "url": "https://github.com/RIOT-OS/RIOT"}, {"source": "disclosure@vulncheck.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://seclists.org/fulldisclosure/2026/Jan/16"}, {"source": "disclosure@vulncheck.com", "tags": ["Product"], "url": "https://www.riot-os.org/"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://www.vulncheck.com/advisories/riot-os-stack-based-buffer-overflow-in-ethos-serial-frame-parser"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-121"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T19:58:38.296716+00:00", "value": {"mitigation_remediation": ["Upgrade RIOT OS to a release newer than 2026.01-devel-317 where the bounds check in _handle_char() has been added.", "If upgrading immediately is not feasible, restrict access to the ethos serial/TCP interface so that only trusted hosts can send frames.", "Apply any vendor\u2011supplied patch or, if unavailable, review and modify the source code to implement proper bounds checking for the frame buffer before appending bytes."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "RIOT:RIOT OS, versions up to and including 2026.01-devel-317, specifically the ethos utility responsible for parsing incoming serial frame data.", "description_and_impact": "A missing bounds check in the ethos utility's _handle_char() function allows an attacker to send crafted serial or TCP\u2011framed input that overflows a fixed\u2011size stack buffer, corrupting memory and crashing the application. The available information confirms only memory corruption and program termination.", "risk_and_exploitability": "The CVSS score of 6.8 indicates moderate severity, while the EPSS score of <1% suggests a low probability of exploitation at present. The vulnerability is not listed in CISA\u2019s KEV catalog. A likely attack requires an attacker to be able to transmit crafted frames over the device\u2019s serial or TCP interface, which could involve remote or local access depending on deployment. If successfully exploited, the result is memory corruption and a crash, potentially leading to denial of service."}}}}, "created": "2026-01-13T09:27:07.747988+00:00", "updated": "2026-04-18T20:00:09.329703+00:00", "vendors": ["riot-os", "riot-os$PRODUCT$riot"]}