VYPR
Unrated severityNVD Advisory· Published Feb 4, 2026· Updated Feb 4, 2026

RIOT Vulnerable to Multiple Out-of-Bounds Read When Processing Received 6LoWPAN SFR Fragments

CVE-2026-25139

Description

RIOT is an open-source microcontroller operating system, designed to match the requirements of Internet of Things (IoT) devices and other embedded devices. In version 2025.10 and prior, multiple out-of-bounds read allow any unauthenticated user, with ability to send or manipulate input packets, to read adjacent memory locations, or crash a vulnerable device running the 6LoWPAN stack. The received packet is cast into a sixlowpan_sfr_rfrag_t struct and dereferenced without validating the packet is large enough to contain the struct object. At time of publication, no known patch exists.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Riot OS/Riotllm-fuzzy2 versions
    <=2025.10+ 1 more
    • (no CPE)range: <=2025.10
    • (no CPE)range: <= 2025.10

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.

CVE-2026-25139 · VYPR