VYPR
Medium severityOSV Advisory· Published Jan 21, 2026· Updated Apr 15, 2026

CVE-2025-69209

CVE-2025-69209

Description

ArduinoCore-avr contains the source code and configuration files of the Arduino AVR Boards platform. A vulnerability in versions prior to 1.8.7 allows an attacker to trigger a stack-based buffer overflow when converting floating-point values to strings with high precision. By passing very large decimalPlaces values to the affected String constructors or concat methods, the dtostrf function writes beyond fixed-size stack buffers, causing memory corruption and denial of service. Under specific conditions, this could enable arbitrary code execution on AVR-based Arduino boards.

Patches

References

Credits

  • Maxime Rossi Bellom and Ramtine Tofighi Shirazi from SecMate (https://secmate.dev/)

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • 1.6.22, 1.6.23, 1.8.1, …+ 1 more
    • (no CPE)range: 1.6.22, 1.6.23, 1.8.1, …
    • (no CPE)range: <1.8.7

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.