Cyber Resilience

CVE-2025-5865

HighPublic PoC

Published: 09 June 2025

Published
09 June 2025
Modified
11 July 2025
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0145 81.2th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-5865 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Rt-Thread Rt-Thread. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 18.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

A vulnerability rated critical has been identified in RT-Thread version 5.1.0 within the Parameter Handler component. Specifically, the sys_select function in rt-thread/components/lwp/lwp_syscall.c fails to properly validate the timeout argument, resulting in memory corruption classified under CWE-119. The vendor notes that the timeout parameter must be checked for safe kernel-mode access and temporarily copied into kernel memory before use.

An attacker with low privileges and adjacent network access can supply a crafted timeout value to the affected syscall. Successful exploitation grants full control over confidentiality, integrity, and availability within the kernel context, enabling outcomes such as arbitrary code execution or system-level compromise without requiring user interaction.

The referenced GitHub issue and vendor commentary indicate that proper input validation for kernel accessibility is required to address the flaw. No public patches or updated releases are detailed in the available references. The associated EPSS score remains flat at 0.0145 with no observed increase after disclosure.

EU & UK References

Vulnerability details

A vulnerability was found in RT-Thread 5.1.0. It has been rated as critical. Affected by this issue is the function sys_select of the file rt-thread/components/lwp/lwp_syscall.c of the component Parameter Handler. The manipulation of the argument timeout leads to memory corruption.…

more

The vendor explains, that "[t]he timeout parameter should be checked to check if it can be accessed correctly in kernel mode and used temporarily in kernel memory."

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The vulnerability allows memory corruption via insufficient validation of the user-supplied timeout pointer in a kernel syscall, enabling kernel crashes (Endpoint DoS via system exploitation, T1499.004) and potential unauthorized kernel memory access for privilege escalation (T1068).

Affected Assets

rt-thread
rt-thread
5.1.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-119

Ongoing control assessments and code testing (static/dynamic analysis, fuzzing) surface memory buffer restriction failures, which are then remediated before release.

addresses: CWE-119

Managed runtimes used by platform-independent applications (e.g., JVM, CLR) enforce memory safety, preventing most buffer overflows that require direct memory manipulation.

addresses: CWE-119

Memory protections (e.g., W^X, ASLR) make exploitation of buffer-boundary violations far harder to turn into code execution.

addresses: CWE-119

Detects exploitation attempts that produce memory corruption, crashes, or anomalous behavior.

References