{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-19T03:53:51.381","vulnerabilities":[{"cve":{"id":"CVE-2026-22214","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-01-12T23:15:52.453","lastModified":"2026-01-21T17:43:51.967","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"RIOT OS versions up to and including 2026.01-devel-317 contain a stack-based buffer overflow vulnerability in the ethos utility due to missing bounds checking when processing incoming serial frame data. The vulnerability occurs in the _handle_char() function, where incoming frame bytes are appended to a fixed-size stack buffer without verifying that the current write index remains within bounds. An attacker capable of sending crafted serial or TCP-framed input can cause the current write index to exceed the buffer size, resulting in a write past the end of the stack buffer. This condition leads to memory corruption and application crash."},{"lang":"es","value":"Las versiones de RIOT OS hasta e incluyendo 2026.01-devel-317 contienen una vulnerabilidad de desbordamiento de búfer basado en pila en la utilidad ethos debido a la falta de verificación de límites al procesar datos de trama serie entrantes. La vulnerabilidad ocurre en la función _handle_char(), donde los bytes de trama entrantes se añaden a un búfer de pila de tamaño fijo sin verificar que el índice de escritura actual permanezca dentro de los límites. Un atacante capaz de enviar entrada serie o enmarcada en TCP manipulada puede hacer que el índice de escritura actual exceda el tamaño del búfer, lo que resulta en una escritura más allá del final del búfer de pila. Esta condición lleva a corrupción de memoria y a un fallo de la aplicación."}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":6.8,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"ACTIVE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Primary","description":[{"lang":"en","value":"CWE-121"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:riot-os:riot:*:*:*:*:*:*:*:*","versionEndExcluding":"2025.10","matchCriteriaId":"3EE45C18-0705-45D6-9363-63017333DFF1"},{"vulnerable":true,"criteria":"cpe:2.3:o:riot-os:riot:2026.01:devel:*:*:*:*:*:*","matchCriteriaId":"51045419-7276-4017-8857-04DDBF865A1F"},{"vulnerable":true,"criteria":"cpe:2.3:o:riot-os:riot:2026.01:rc1:*:*:*:*:*:*","matchCriteriaId":"D10D5F2C-4666-4D21-AED8-BE67DF223745"}]}]}],"references":[{"url":"https://github.com/RIOT-OS/RIOT","source":"disclosure@vulncheck.com","tags":["Product"]},{"url":"https://seclists.org/fulldisclosure/2026/Jan/16","source":"disclosure@vulncheck.com","tags":["Mailing List","Third Party Advisory"]},{"url":"https://www.riot-os.org/","source":"disclosure@vulncheck.com","tags":["Product"]},{"url":"https://www.vulncheck.com/advisories/riot-os-stack-based-buffer-overflow-in-ethos-serial-frame-parser","source":"disclosure@vulncheck.com","tags":["Third Party Advisory"]}]}}]}