Cyber Posture

CVE-2026-27703

HighPublic PoC

Published: 11 March 2026

Published
11 March 2026
Modified
16 March 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0009 25.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27703 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Riot-Os Riot. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190).
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SI-16 Memory Protection
addresses: CWE-787

Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Remote unauthenticated exploitation of the CoAP /.well-known/core handler via crafted requests directly enables initial access through a public-facing network service (T1190); the resulting stack corruption supports arbitrary code execution or DoS on the embedded device.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

RIOT is an open-source microcontroller operating system, designed to match the requirements of Internet of Things (IoT) devices and other embedded devices. In 2026.01 and earlier, the default handler for the well_known_core resource coap_well_known_core_default_handler writes user-provided option data and other…

more

data into a fixed size buffer without validating the buffer is large enough to contain the response. This vulnerability allows an attacker to corrupt neighboring stack location, including security-sensitive addresses like the return address, leading to denial of service or arbitrary code execution.

Deeper analysisAI

CVE-2026-27703 is a buffer overflow vulnerability (CWE-787) in RIOT, an open-source operating system designed for microcontrollers in Internet of Things (IoT) devices and other embedded systems. The issue affects RIOT versions 2026.01 and earlier, specifically in the default handler for the CoAP well-known/core resource, named coap_well_known_core_default_handler. This handler writes user-provided option data and other data into a fixed-size buffer without validating whether the buffer is large enough to hold the response, enabling corruption of neighboring stack locations.

The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). Remote attackers with network access can exploit it without authentication or user interaction by sending crafted CoAP requests to the affected resource. Successful exploitation allows corruption of security-sensitive stack areas, such as return addresses, potentially resulting in denial of service or arbitrary code execution.

Mitigation details are provided in the RIOT-OS security advisory at https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-qgj4-9jff-93cj.

Details

CWE(s)
CWE-787

Affected Products

riot-os
riot
≤ 2026.01

CVEs Like This One

CVE-2026-22214Same product: Riot-Os Riot
CVE-2026-22213Same product: Riot-Os Riot
CVE-2025-66647Same product: Riot-Os Riot
CVE-2026-25139Same product: Riot-Os Riot
CVE-2025-53888Same product: Riot-Os Riot
CVE-2026-21897Shared CWE-787
CVE-2025-29385Shared CWE-787
CVE-2025-26508Shared CWE-787
CVE-2025-29386Shared CWE-787
CVE-2025-25742Shared CWE-787

References