CVE-2025-53888
Published: 18 July 2025
Summary
CVE-2025-53888 is a critical-severity Classic Buffer Overflow (CWE-120) vulnerability in Riot-Os Riot. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 41.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates runtime validation of inputs like addr_len before memcpy to directly prevent buffer overflows from unchecked sizes in l2filter_add().
Implements memory safeguards such as stack canaries and bounds checking to protect against buffer overflow exploits writing past list[i].addr.
Requires timely identification, reporting, and patching of flaws like the ineffective assert() check fixed in commit f6f7de4.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in network-accessible l2filter component directly enables remote exploitation of the IoT device's network service for code execution or DoS.
NVD Description
RIOT-OS, an operating system that supports Internet of Things devices, has an ineffective size check implemented with `assert()` can lead to buffer overflow in versions up to and including 2025.04. Assertions are usually compiled out in production builds. If assertions…
more
are the only defense against untrusted inputs, the software may be exposed to attacks that utilize the lack of proper input checks. In the `l2filter_add()` function shown below, `addr_len` is checked using an assertion and is subsequently used as an argument in a `memcpy()` call. When assertions are disabled, there would be no size check for `addr_len`. As a consequence, if an attacker were to provide an `addr_len` value larger than `CONFIG_L2FILTER_ADDR_MAXLEN`, they can trigger a buffer overflow and write past the `list[i].addr` buffer. If the unchecked input is attacker-controlled, the impact of the buffer overflow can range from a denial of service to arbitrary code execution. Commit f6f7de4ccc107c018630e4c15500825caf02e1c2 contains a patch for the vulnerability.
Deeper analysisAI
CVE-2025-53888 is a buffer overflow vulnerability in RIOT-OS, an operating system designed for Internet of Things devices. The issue stems from an ineffective size check in the `l2filter_add()` function within the `sys/net/link_layer/l2filter` component, where the `addr_len` parameter is validated solely via an `assert()` macro. This affects all RIOT-OS versions up to and including 2025.04. In production builds, assertions are typically compiled out, leaving no runtime check before `addr_len` is passed to a `memcpy()` call, allowing writes beyond the bounds of the `list[i].addr` buffer if `addr_len` exceeds `CONFIG_L2FILTER_ADDR_MAXLEN`.
The vulnerability can be exploited by any remote attacker with network access to a vulnerable device, requiring no privileges, authentication, or user interaction (CVSSv3.1 base score of 9.8: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). By supplying a crafted, attacker-controlled `addr_len` value larger than the configured maximum, the lack of bounds checking triggers the buffer overflow during the `memcpy()` operation. Potential impacts range from denial of service to arbitrary code execution, depending on the attacker's control over the input and the device's context.
Mitigation is available via a patch in RIOT-OS commit f6f7de4ccc107c018630e4c15500825caf02e1c2, which replaces the assertion with a proper runtime check. The RIOT-OS security advisory (GHSA-7972-w7f9-3j9m) details the issue and recommends updating to a patched version. Affected users should review the source code at the vulnerable line in `l2filter.c` (line 47) and apply the fix promptly, especially for production IoT deployments where assertions are disabled.
Details
- CWE(s)