CVE-2026-27703
Published: 11 March 2026
Summary
CVE-2026-27703 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Riot-Os Riot. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2026-27703 is a buffer overflow vulnerability (CWE-787) in RIOT, an open-source operating system designed for microcontrollers in Internet of Things (IoT) devices and other embedded systems. The issue affects RIOT versions 2026.01 and earlier, specifically in the default handler for the CoAP well-known/core resource, named coap_well_known_core_default_handler. This handler writes user-provided option data and other data into a fixed-size buffer without validating whether the buffer is large enough to hold the response, enabling corruption of neighboring stack locations.
The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). Remote attackers with network access can exploit it without authentication or user interaction by sending crafted CoAP requests to the affected resource. Successful exploitation allows corruption of security-sensitive stack areas, such as return addresses, potentially resulting in denial of service or arbitrary code execution.
Mitigation details are provided in the RIOT-OS security advisory at https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-qgj4-9jff-93cj.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-11305
Vulnerability details
RIOT is an open-source microcontroller operating system, designed to match the requirements of Internet of Things (IoT) devices and other embedded devices. In 2026.01 and earlier, the default handler for the well_known_core resource coap_well_known_core_default_handler writes user-provided option data and other…
more
data into a fixed size buffer without validating the buffer is large enough to contain the response. This vulnerability allows an attacker to corrupt neighboring stack location, including security-sensitive addresses like the return address, leading to denial of service or arbitrary code execution.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated exploitation of the CoAP /.well-known/core handler via crafted requests directly enables initial access through a public-facing network service (T1190); the resulting stack corruption supports arbitrary code execution or DoS on the embedded device.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of user-provided CoAP option data size before writing to the fixed-size buffer in coap_well_known_core_default_handler, directly preventing the buffer overflow.
Implements memory safeguards such as stack canaries or non-executable stack to protect against corruption of neighboring stack locations like return addresses from the buffer overflow.
Mandates timely identification, reporting, and correction of the buffer overflow flaw in RIOT versions 2026.01 and earlier per the security advisory.