Cyber Resilience

CVE-2026-27703

HighPublic PoC

Published: 11 March 2026

Published
11 March 2026
Modified
16 March 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0048 37.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-27703 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Riot-Os Riot. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-27703 is a buffer overflow vulnerability (CWE-787) in RIOT, an open-source operating system designed for microcontrollers in Internet of Things (IoT) devices and other embedded systems. The issue affects RIOT versions 2026.01 and earlier, specifically in the default handler for the CoAP well-known/core resource, named coap_well_known_core_default_handler. This handler writes user-provided option data and other data into a fixed-size buffer without validating whether the buffer is large enough to hold the response, enabling corruption of neighboring stack locations.

The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). Remote attackers with network access can exploit it without authentication or user interaction by sending crafted CoAP requests to the affected resource. Successful exploitation allows corruption of security-sensitive stack areas, such as return addresses, potentially resulting in denial of service or arbitrary code execution.

Mitigation details are provided in the RIOT-OS security advisory at https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-qgj4-9jff-93cj.

EU & UK References

Vulnerability details

RIOT is an open-source microcontroller operating system, designed to match the requirements of Internet of Things (IoT) devices and other embedded devices. In 2026.01 and earlier, the default handler for the well_known_core resource coap_well_known_core_default_handler writes user-provided option data and other…

more

data into a fixed size buffer without validating the buffer is large enough to contain the response. This vulnerability allows an attacker to corrupt neighboring stack location, including security-sensitive addresses like the return address, leading to denial of service or arbitrary code execution.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote unauthenticated exploitation of the CoAP /.well-known/core handler via crafted requests directly enables initial access through a public-facing network service (T1190); the resulting stack corruption supports arbitrary code execution or DoS on the embedded device.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22214Same product: Riot-Os Riot
CVE-2025-66647Same product: Riot-Os Riot
CVE-2026-22213Same product: Riot-Os Riot
CVE-2026-25139Same product: Riot-Os Riot
CVE-2025-53888Same product: Riot-Os Riot
CVE-2025-27807Shared CWE-787
CVE-2024-48856Shared CWE-787
CVE-2025-14234Shared CWE-787
CVE-2018-25223Shared CWE-787
CVE-2018-25154Shared CWE-787

Affected Assets

riot-os
riot
≤ 2026.01

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of user-provided CoAP option data size before writing to the fixed-size buffer in coap_well_known_core_default_handler, directly preventing the buffer overflow.

prevent

Implements memory safeguards such as stack canaries or non-executable stack to protect against corruption of neighboring stack locations like return addresses from the buffer overflow.

prevent

Mandates timely identification, reporting, and correction of the buffer overflow flaw in RIOT versions 2026.01 and earlier per the security advisory.

References