CVE-2026-22213
Published: 12 January 2026
Summary
CVE-2026-22213 is a critical-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Riot-Os Riot. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires bounds checking and validation of the user-supplied device name from the -s command-line option prior to string concatenation in devopen(), directly preventing the stack buffer overflow.
Deploys runtime memory protections like stack canaries, DEP, and ASLR to detect overflows and block exploitation leading to memory corruption or code execution.
Ensures the specific buffer overflow flaw in tapslip6's devopen() function is rapidly identified, patched, and deployed to eliminate the vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack buffer overflow in network-accessible utility (AV:N) directly enables remote exploitation for code execution or DoS, matching T1190.
NVD Description
RIOT OS versions up to and including 2026.01-devel-317 contain a stack-based buffer overflow vulnerability in the tapslip6 utility. The vulnerability is caused by unsafe string concatenation in the devopen() function, which constructs a device path using unbounded user-controlled input. The…
more
utility uses strcpy() and strcat() to concatenate the fixed prefix '/dev/' with a user-supplied device name provided via the -s command-line option without bounds checking. This allows an attacker to supply an excessively long device name and overflow a fixed-size stack buffer, leading to process crashes and memory corruption.
Deeper analysisAI
CVE-2026-22213 is a stack-based buffer overflow vulnerability affecting RIOT OS versions up to and including 2026.01-devel-317, specifically in the tapslip6 utility. The flaw stems from unsafe string concatenation in the devopen() function, which uses strcpy() and strcat() to construct a device path by appending a user-supplied device name—provided via the -s command-line option—to the fixed prefix '/dev/' without bounds checking. Supplying an excessively long device name overflows a fixed-size stack buffer, resulting in process crashes and memory corruption.
The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating exploitation over the network with low complexity, no privileges or user interaction required. Any remote attacker able to invoke tapslip6 with a malicious -s argument can trigger the overflow, achieving memory corruption that may lead to denial of service via crashes or further compromise such as arbitrary code execution, given the high confidentiality, integrity, and availability impacts.
Mitigation guidance is available in related advisories, including the VulnCheck advisory at https://www.vulncheck.com/advisories/riot-os-stack-based-buffer-overflow-in-tapslip6-utility, the Full Disclosure mailing list post at https://seclists.org/fulldisclosure/2026/Jan/15, and resources on the RIOT OS GitHub repository at https://github.com/RIOT-OS/RIOT and official site at https://www.riot-os.org/.
Details
- CWE(s)