{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27703", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-23T17:56:51.202Z", "datePublished": "2026-03-11T19:38:02.866Z", "dateUpdated": "2026-03-12T19:53:21.857Z"}, "containers": {"cna": {"title": "RIOT has an Out-of-Bounds Write in nanoCoAP Handler", "problemTypes": [{"descriptions": [{"cweId": "CWE-787", "lang": "en", "description": "CWE-787: Out-of-bounds Write", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-qgj4-9jff-93cj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-qgj4-9jff-93cj"}], "affected": [{"vendor": "RIOT-OS", "product": "RIOT", "versions": [{"version": "<= 2026.01", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T19:38:02.866Z"}, "descriptions": [{"lang": "en", "value": "RIOT is an open-source microcontroller operating system, designed to match the requirements of Internet of Things (IoT) devices and other embedded devices. In 2026.01 and earlier, the default handler for the well_known_core resource coap_well_known_core_default_handler writes user-provided option data and other data into a fixed size buffer without validating the buffer is large enough to contain the response. This vulnerability allows an attacker to corrupt neighboring stack location, including security-sensitive addresses like the return address, leading to denial of service or arbitrary code execution."}], "source": {"advisory": "GHSA-qgj4-9jff-93cj", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T19:53:15.324425Z", "id": "CVE-2026-27703", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T19:53:21.857Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27703", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-12T19:53:15.324425Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T19:53:18.962Z"}}], "cna": {"title": "RIOT has an Out-of-Bounds Write in nanoCoAP Handler", "source": {"advisory": "GHSA-qgj4-9jff-93cj", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "RIOT-OS", "product": "RIOT", "versions": [{"status": "affected", "version": "<= 2026.01"}]}], "references": [{"url": "https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-qgj4-9jff-93cj", "name": "https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-qgj4-9jff-93cj", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "RIOT is an open-source microcontroller operating system, designed to match the requirements of Internet of Things (IoT) devices and other embedded devices. In 2026.01 and earlier, the default handler for the well_known_core resource coap_well_known_core_default_handler writes user-provided option data and other data into a fixed size buffer without validating the buffer is large enough to contain the response. This vulnerability allows an attacker to corrupt neighboring stack location, including security-sensitive addresses like the return address, leading to denial of service or arbitrary code execution."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-787", "description": "CWE-787: Out-of-bounds Write"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T19:38:02.866Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27703", "state": "PUBLISHED", "dateUpdated": "2026-03-12T19:53:21.857Z", "dateReserved": "2026-02-23T17:56:51.202Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-11T19:38:02.866Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:riot-os:riot:*:*:*:*:*:*:*:*", "matchCriteriaId": "6DACBB75-13DE-4EC2-BAB6-60C361BE10C7", "versionEndIncluding": "2026.01", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "RIOT is an open-source microcontroller operating system, designed to match the requirements of Internet of Things (IoT) devices and other embedded devices. In 2026.01 and earlier, the default handler for the well_known_core resource coap_well_known_core_default_handler writes user-provided option data and other data into a fixed size buffer without validating the buffer is large enough to contain the response. This vulnerability allows an attacker to corrupt neighboring stack location, including security-sensitive addresses like the return address, leading to denial of service or arbitrary code execution."}, {"lang": "es", "value": "RIOT es un sistema operativo de microcontrolador de c\u00f3digo abierto, dise\u00f1ado para cumplir los requisitos de los dispositivos de Internet de las Cosas (IoT) y otros dispositivos embebidos. En 2026.01 y anteriores, el gestor predeterminado para el recurso well_known_core coap_well_known_core_default_handler escribe datos de opci\u00f3n proporcionados por el usuario y otros datos en un b\u00fafer de tama\u00f1o fijo sin validar que el b\u00fafer sea lo suficientemente grande para contener la respuesta. Esta vulnerabilidad permite a un atacante corromper ubicaciones de pila adyacentes, incluyendo direcciones sensibles a la seguridad como la direcci\u00f3n de retorno, lo que lleva a una denegaci\u00f3n de servicio o a la ejecuci\u00f3n de c\u00f3digo arbitrario."}], "id": "CVE-2026-27703", "lastModified": "2026-03-16T20:19:49.037", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-11T20:16:14.990", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-qgj4-9jff-93cj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2026.01]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "RIOT", "source": "cna", "vendor": "RIOT-OS"}, "product": "riot", "vendor": "riot-os"}], "analysis": {"en": {"generated_at": "2026-03-16T23:10:39.451101+00:00", "value": {"mitigation_remediation": ["Apply the vendor-proposed patch or upgrade to a newer RIOT-OS release that contains the fix (see the GitHub advisory GHSA-qgj4-9jff-93cj).", "If an immediate patch is not available, restrict exposure of the coap_well_known_core resource by disabling it or limiting access to trusted networks only.", "As a temporary measure, block unauthenticated CoAP traffic to the device using firewall rules or network segmentation.", "Monitor device logs for unusually large CoAP option fields or abnormal request patterns that may indicate exploitation attempts."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary Code Execution"}, "threat_synthesis": {"affected_systems": "Affected products include the RIOT\u2011OS operating system released up to and including version 2026.01. No other versions or products are listed as impacted, and the vulnerability is specific to the nanoCoAP handler within RIOT\u2011OS.", "description_and_impact": "An out-of-bounds write bug exists in RIOT\u2011OS 2026.01 and earlier within the default coap_well_known_core handler. The handler directs user-supplied CoAP option data into a fixed-size buffer without validating that the buffer can hold the response. This flaw can corrupt adjacent stack memory, including sensitive addresses such as the return pointer, enabling an attacker to trigger denial of service or execute arbitrary code on the device. The weakness is classified as CWE\u2011787 Consumer Input Validation failure leading to out-of-bounds write.", "risk_and_exploitability": "With a CVSS score of 7.5 the vulnerability is considered high severity. EPSS indicates an exploitation probability of less than 1%, and it is not listed in the CISA KEV catalogue, suggesting no publicly known exploits. The likely attack vector requires an attacker that can send crafted CoAP requests to the device; the vulnerability relies on leaking data through the CoAP protocol on a network where the device is reachable. While exploitation may demand some effort to correctly format the oversized option data, the absence of additional authentication or input checks lowers the barrier for an attacker with network access to the target."}}}}, "created": "2026-03-12T09:56:28.366327+00:00", "updated": "2026-03-23T09:55:16.738376+00:00", "vendors": ["riot-os", "riot-os$PRODUCT$riot"]}