CVE-2026-25139

Name of the Vulnerable Software and Affected Versions RIOT versions 2025.10 and prior

Description The RIOT operating system, designed for IoT and embedded devices, contains an issue where out-of-bounds read operations can occur. An unauthenticated user capable of sending or manipulating input packets can potentially read adjacent memory locations or cause a device crash when using the 6LoWPAN stack. This happens because a received packet is cast into a sixlowpan sfr rfrag t struct and then dereferenced without verifying the packet size is sufficient to contain the struct.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.