Cyber Resilience

CVE-2025-53888

MediumPublic PoC

Published: 18 July 2025

Published
18 July 2025
Modified
11 September 2025
KEV Added
Patch
CVSS Score v4 6.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0103 77.8th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-53888 is a medium-severity Classic Buffer Overflow (CWE-120) vulnerability in Riot-Os Riot. Its CVSS base score is 6.6 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 22.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

RIOT-OS, an operating system for Internet of Things devices, contains a buffer overflow vulnerability in versions up to and including 2025.04. The flaw stems from an ineffective size check in the l2filter_add() function that relies solely on an assert() statement to validate the addr_len parameter before passing it to memcpy(); because assertions are typically disabled in production builds, an oversized value bypasses any check and writes past the bounds of the list[i].addr buffer. The issue is tracked as CWE-120 and carries a CVSS 4.0 score of 6.6.

An unauthenticated network attacker can supply a malicious addr_len value larger than CONFIG_L2FILTER_ADDR_MAXLEN to trigger the overflow. Depending on the surrounding memory layout and attacker-controlled data, the resulting corruption can produce a denial of service or, in favorable conditions, arbitrary code execution.

The public GitHub Security Advisory GHSA-7972-w7f9-3j9m and the referenced source file document the problem, while commit f6f7de4ccc107c018630e4c15500825caf02e1c2 supplies the corrective patch that replaces the assert() with a proper bounds check.

EPSS remains flat at 0.0103 with no observed increase since disclosure, and no reports of active exploitation have appeared in the available references.

EU & UK References

Vulnerability details

RIOT-OS, an operating system that supports Internet of Things devices, has an ineffective size check implemented with `assert()` can lead to buffer overflow in versions up to and including 2025.04. Assertions are usually compiled out in production builds. If assertions…

more

are the only defense against untrusted inputs, the software may be exposed to attacks that utilize the lack of proper input checks. In the `l2filter_add()` function shown below, `addr_len` is checked using an assertion and is subsequently used as an argument in a `memcpy()` call. When assertions are disabled, there would be no size check for `addr_len`. As a consequence, if an attacker were to provide an `addr_len` value larger than `CONFIG_L2FILTER_ADDR_MAXLEN`, they can trigger a buffer overflow and write past the `list[i].addr` buffer. If the unchecked input is attacker-controlled, the impact of the buffer overflow can range from a denial of service to arbitrary code execution. Commit f6f7de4ccc107c018630e4c15500825caf02e1c2 contains a patch for the vulnerability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

Buffer overflow in network-accessible l2filter component directly enables remote exploitation of the IoT device's network service for code execution or DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-66647Same product: Riot-Os Riot
CVE-2026-22213Same product: Riot-Os Riot
CVE-2026-27703Same product: Riot-Os Riot
CVE-2026-25139Same product: Riot-Os Riot
CVE-2026-22214Same product: Riot-Os Riot
CVE-2025-24266Shared CWE-120
CVE-2026-41476Shared CWE-120
CVE-2026-22627Shared CWE-120
CVE-2024-23968Shared CWE-120
CVE-2024-54887Shared CWE-120

Affected Assets

riot-os
riot
≤ 2025.04

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates runtime validation of inputs like addr_len before memcpy to directly prevent buffer overflows from unchecked sizes in l2filter_add().

prevent

Implements memory safeguards such as stack canaries and bounds checking to protect against buffer overflow exploits writing past list[i].addr.

prevent

Requires timely identification, reporting, and patching of flaws like the ineffective assert() check fixed in commit f6f7de4.

References