Cyber Resilience

CVE-2025-66647

LowPublic PoC

Published: 17 December 2025

Published
17 December 2025
Modified
22 January 2026
KEV Added
Patch
CVSS Score v4 1.7 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0082 52.2th percentile
Risk Priority 4 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-66647 is a low-severity Classic Buffer Overflow (CWE-120) vulnerability in Riot-Os Riot. Its CVSS base score is 1.7 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 47.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-66647 is a buffer overflow vulnerability (CWE-120) in the IPv6 fragmentation reassembly implementation of RIOT OS version 2025.07, an open-source operating system for Internet of Things (IoT) and embedded devices. The issue resides in the `gnrc_ipv6_ext_frag` module, where copying the contents of the first fragment (with offset=0) into the reassembly buffer lacks a size check. An attacker can force the creation of a small reassembly buffer by sending a shorter initial fragment (also offset=0), enabling subsequent overflow that corrupts adjacent packet buffers.

Any remote attacker with the ability to send arbitrary IPv6 packets to a victim device—including the `gnrc_ipv6_ext_frag` module—can exploit this vulnerability. By manipulating fragment sizes, the attacker triggers buffer overflow, leading to memory corruption of other packet buffers. This can potentially result in further memory corruption or remote code execution, as indicated by the CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

RIOT OS version 2025.10 addresses the vulnerability with a fix, as detailed in the release notes. The affected code lines are documented in the RIOT GitHub repository at lines 411, 481, 532, and 544 of `sys/net/gnrc/network_layer/ipv6/ext/frag/gnrc_ipv6_ext_frag.c`. Security practitioners should ensure devices upgrade to 2025.10 or later and verify if the module is enabled in their builds.

EU & UK References

Vulnerability details

RIOT is an open-source microcontroller operating system, designed to match the requirements of Internet of Things (IoT) devices and other embedded devices. A vulnerability was discovered in the IPv6 fragmentation reassembly implementation of RIOT OS v2025.07. When copying the contents…

more

of the first fragment (offset=0) into the reassembly buffer, no size check is performed. It is possible to force the creation of a small reassembly buffer by first sending a shorter fragment (also with offset=0). Overflowing the reassembly buffer corrupts the state of other packet buffers which an attacker might be able to used to achieve further memory corruption (potentially resulting in remote code execution). To trigger the vulnerability, the `gnrc_ipv6_ext_frag` module must be included and the attacker must be able to send arbitrary IPv6 packets to the victim. Version 2025.10 fixes the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is a remotely exploitable buffer overflow in the IPv6 network stack of RIOT OS, directly enabling exploitation of a public-facing network service for memory corruption or RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-53888Same product: Riot-Os Riot
CVE-2026-22213Same product: Riot-Os Riot
CVE-2026-27703Same product: Riot-Os Riot
CVE-2026-22214Same product: Riot-Os Riot
CVE-2026-25139Same product: Riot-Os Riot
CVE-2025-22913Shared CWE-120
CVE-2026-24114Shared CWE-120
CVE-2026-27459Shared CWE-120
CVE-2025-25635Shared CWE-120
CVE-2021-47854Shared CWE-120

Affected Assets

riot-os
riot
2025.10 · ≤ 2025.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the buffer overflow by requiring timely remediation through upgrading RIOT OS to version 2025.10 or later where the flaw is fixed.

prevent

Addresses the root cause by enforcing validation of IPv6 fragment sizes and offsets before copying into reassembly buffers, preventing overflows.

prevent

Provides memory protections such as non-executable regions or stack guards to limit exploitation of the buffer overflow into remote code execution.

References