{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-19T22:08:02.315","vulnerabilities":[{"cve":{"id":"CVE-2026-22213","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-01-12T23:15:52.300","lastModified":"2026-01-21T17:44:38.543","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"RIOT OS versions up to and including 2026.01-devel-317 contain a stack-based buffer overflow vulnerability in the tapslip6 utility. The vulnerability is caused by unsafe string concatenation in the devopen() function, which constructs a device path using unbounded user-controlled input. The utility uses strcpy() and strcat() to concatenate the fixed prefix '/dev/' with a user-supplied device name provided via the -s command-line option without bounds checking. This allows an attacker to supply an excessively long device name and overflow a fixed-size stack buffer, leading to process crashes and memory corruption."},{"lang":"es","value":"Las versiones de RIOT OS hasta e incluyendo 2026.01-devel-317 contienen una vulnerabilidad de desbordamiento de búfer basado en pila en la utilidad tapslip6. La vulnerabilidad es causada por una concatenación de cadenas insegura en la función devopen(), que construye una ruta de dispositivo utilizando una entrada controlada por el usuario sin límites. La utilidad utiliza strcpy() y strcat() para concatenar el prefijo fijo '/dev/' con un nombre de dispositivo proporcionado por el usuario, suministrado a través de la opción de línea de comandos -s, sin verificación de límites. Esto permite a un atacante suministrar un nombre de dispositivo excesivamente largo y desbordar un búfer de pila de tamaño fijo, lo que lleva a fallos del proceso y corrupción de memoria."}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":2.4,"baseSeverity":"LOW","attackVector":"LOCAL","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"ACTIVE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Primary","description":[{"lang":"en","value":"CWE-121"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:riot-os:riot:*:*:*:*:*:*:*:*","versionEndExcluding":"2025.10","matchCriteriaId":"3EE45C18-0705-45D6-9363-63017333DFF1"},{"vulnerable":true,"criteria":"cpe:2.3:o:riot-os:riot:2026.01:devel:*:*:*:*:*:*","matchCriteriaId":"51045419-7276-4017-8857-04DDBF865A1F"},{"vulnerable":true,"criteria":"cpe:2.3:o:riot-os:riot:2026.01:rc1:*:*:*:*:*:*","matchCriteriaId":"D10D5F2C-4666-4D21-AED8-BE67DF223745"}]}]}],"references":[{"url":"https://github.com/RIOT-OS/RIOT","source":"disclosure@vulncheck.com","tags":["Product"]},{"url":"https://seclists.org/fulldisclosure/2026/Jan/15","source":"disclosure@vulncheck.com","tags":["Exploit","Mailing List","Third Party Advisory"]},{"url":"https://www.riot-os.org/","source":"disclosure@vulncheck.com","tags":["Product"]},{"url":"https://www.vulncheck.com/advisories/riot-os-stack-based-buffer-overflow-in-tapslip6-utility","source":"disclosure@vulncheck.com","tags":["Third Party Advisory"]}]}}]}