Cyber Resilience

CVE-2026-22213

LowPublic PoC

Published: 12 January 2026

Published
12 January 2026
Modified
21 January 2026
KEV Added
Patch
CVSS Score v4 2.4 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0036 28.0th percentile
Risk Priority 15 floored blend · peak EPSS

Summary

CVE-2026-22213 is a low-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Riot-Os Riot. Its CVSS base score is 2.4 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-22213 is a stack-based buffer overflow vulnerability affecting RIOT OS versions up to and including 2026.01-devel-317, specifically in the tapslip6 utility. The flaw stems from unsafe string concatenation in the devopen() function, which uses strcpy() and strcat() to construct a device path by appending a user-supplied device name—provided via the -s command-line option—to the fixed prefix '/dev/' without bounds checking. Supplying an excessively long device name overflows a fixed-size stack buffer, resulting in process crashes and memory corruption.

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating exploitation over the network with low complexity, no privileges or user interaction required. Any remote attacker able to invoke tapslip6 with a malicious -s argument can trigger the overflow, achieving memory corruption that may lead to denial of service via crashes or further compromise such as arbitrary code execution, given the high confidentiality, integrity, and availability impacts.

Mitigation guidance is available in related advisories, including the VulnCheck advisory at https://www.vulncheck.com/advisories/riot-os-stack-based-buffer-overflow-in-tapslip6-utility, the Full Disclosure mailing list post at https://seclists.org/fulldisclosure/2026/Jan/15, and resources on the RIOT OS GitHub repository at https://github.com/RIOT-OS/RIOT and official site at https://www.riot-os.org/.

EU & UK References

Vulnerability details

RIOT OS versions up to and including 2026.01-devel-317 contain a stack-based buffer overflow vulnerability in the tapslip6 utility. The vulnerability is caused by unsafe string concatenation in the devopen() function, which constructs a device path using unbounded user-controlled input. The…

more

utility uses strcpy() and strcat() to concatenate the fixed prefix '/dev/' with a user-supplied device name provided via the -s command-line option without bounds checking. This allows an attacker to supply an excessively long device name and overflow a fixed-size stack buffer, leading to process crashes and memory corruption.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Stack buffer overflow in network-accessible utility (AV:N) directly enables remote exploitation for code execution or DoS, matching T1190.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22214Same product: Riot-Os Riot
CVE-2026-27703Same product: Riot-Os Riot
CVE-2025-66647Same product: Riot-Os Riot
CVE-2026-25139Same product: Riot-Os Riot
CVE-2025-53888Same product: Riot-Os Riot
CVE-2026-38422Shared CWE-121
CVE-2025-11783Shared CWE-121
CVE-2025-54491Shared CWE-121
CVE-2024-39359Shared CWE-121
CVE-2026-42469Shared CWE-121

Affected Assets

riot-os
riot
2026.01 · ≤ 2025.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires bounds checking and validation of the user-supplied device name from the -s command-line option prior to string concatenation in devopen(), directly preventing the stack buffer overflow.

prevent

Deploys runtime memory protections like stack canaries, DEP, and ASLR to detect overflows and block exploitation leading to memory corruption or code execution.

prevent

Ensures the specific buffer overflow flaw in tapslip6's devopen() function is rapidly identified, patched, and deployed to eliminate the vulnerability.

References