Cyber Resilience

CVE-2026-25139

HighPublic PoC

Published: 04 February 2026

Published
04 February 2026
Modified
20 February 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0048 37.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-25139 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Riot-Os Riot. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 37.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).

Deeper analysis

CVE-2026-25139 affects RIOT, an open-source operating system designed for microcontrollers in Internet of Things (IoT) devices and other embedded systems. Versions 2025.10 and prior are vulnerable to multiple out-of-bounds read flaws in the 6LoWPAN stack. The issue arises when a received packet is cast into a sixlowpan_sfr_rfrag_t struct and dereferenced without first validating that the packet is large enough to contain the struct, classified under CWE-125 (Out-of-bounds Read).

Any unauthenticated attacker capable of sending or manipulating input packets can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L), no privileges (PR:N), and no user interaction (UI:N) required. Exploitation enables reading of adjacent memory locations, potentially disclosing sensitive information (C:H), or crashing the device (A:H), resulting in denial-of-service. The CVSS v3.1 base score is 9.1 (S:U).

The GitHub security advisory (GHSA-c8fh-23qr-97mc), published on 2026-02-04, states that no known patch exists at the time of publication.

EU & UK References

Vulnerability details

RIOT is an open-source microcontroller operating system, designed to match the requirements of Internet of Things (IoT) devices and other embedded devices. In version 2025.10 and prior, multiple out-of-bounds read allow any unauthenticated user, with ability to send or manipulate…

more

input packets, to read adjacent memory locations, or crash a vulnerable device running the 6LoWPAN stack. The received packet is cast into a sixlowpan_sfr_rfrag_t struct and dereferenced without validating the packet is large enough to contain the struct object. At time of publication, no known patch exists.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Unauthenticated remote exploitation over the network of the public-facing 6LoWPAN stack enables endpoint DoS via application/system exploitation (T1499.004) by crashing the device and exploit public-facing application (T1190) for potential info disclosure or disruption.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22214Same product: Riot-Os Riot
CVE-2026-27703Same product: Riot-Os Riot
CVE-2025-66647Same product: Riot-Os Riot
CVE-2026-22213Same product: Riot-Os Riot
CVE-2025-53888Same product: Riot-Os Riot
CVE-2026-40890Shared CWE-125
CVE-2026-26264Shared CWE-125
CVE-2026-21863Shared CWE-125
CVE-2026-33598Shared CWE-125
CVE-2026-32877Shared CWE-125

Affected Assets

riot-os
riot
≤ 2025.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 requires validation of information inputs like packet size before dereferencing, directly preventing the out-of-bounds read in the 6LoWPAN stack.

prevent

SI-11 ensures error handling for out-of-bounds conditions generates no exploitable information, mitigating info disclosure and crash exploitation from invalid packets.

prevent

SI-16 implements memory safeguards to restrict unauthorized access to adjacent memory locations targeted by the out-of-bounds read.

References