CVE-2025-66646
- Source
- https://cve.org/CVERecord?id=CVE-2025-66646
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-66646.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-66646
- Aliases
-
- GHSA-v8gx-q9m6-5xm9
- Published
- 2025-12-17T19:18:08.696Z
- Modified
- 2026-03-13T03:42:20.287326Z
- Severity
-
- 1.7 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U CVSS Calculator
- Summary
- RIOT-OS has NULL pointer dereference in gnrc_ipv6_ext_frag_reass
- Details
-
RIOT is an open-source microcontroller operating system, designed to match the requirements of Internet of Things (IoT) devices and other embedded devices. A vulnerability was discovered in the IPv6 fragmentation reassembly implementation of RIOT OS v2025.07. When receiving an fragmented IPv6 packet with fragment offset 0 and an empty payload, the payload pointer is set to NULL. However, the implementation still tries to copy the payload into the reassembly buffer, resulting in a NULL pointer dereference which crashes the OS (DoS). To trigger the vulnerability, the
gnrc_ipv6_ext_fragmodule must be enabled and the attacker must be able to send arbitrary IPv6 packets to the victim. RIOT OS v2025.10 fixes the issue. - Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/66xxx/CVE-2025-66646.json", "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-476" ] }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/66xxx/CVE-2025-66646.json
- https://github.com/RIOT-OS/RIOT/blob/eb65305cf9f1b7affb50b17af5c12341b83a8636/sys/net/gnrc/network_layer/ipv6/ext/frag/gnrc_ipv6_ext_frag.c#L411
- https://github.com/RIOT-OS/RIOT/blob/eb65305cf9f1b7affb50b17af5c12341b83a8636/sys/net/gnrc/network_layer/ipv6/ext/frag/gnrc_ipv6_ext_frag.c#L420
- https://github.com/RIOT-OS/RIOT/blob/eb65305cf9f1b7affb50b17af5c12341b83a8636/sys/net/gnrc/network_layer/ipv6/ext/frag/gnrc_ipv6_ext_frag.c#L490
- https://github.com/RIOT-OS/RIOT/blob/eb65305cf9f1b7affb50b17af5c12341b83a8636/sys/net/gnrc/network_layer/ipv6/ext/frag/gnrc_ipv6_ext_frag.c#L532
- https://github.com/RIOT-OS/RIOT/blob/eb65305cf9f1b7affb50b17af5c12341b83a8636/sys/net/gnrc/network_layer/ipv6/ext/frag/gnrc_ipv6_ext_frag.c#L534
- https://github.com/RIOT-OS/RIOT/blob/eb65305cf9f1b7affb50b17af5c12341b83a8636/sys/net/gnrc/network_layer/ipv6/ext/frag/gnrc_ipv6_ext_frag.c#L544
- https://github.com/RIOT-OS/RIOT/blob/eb65305cf9f1b7affb50b17af5c12341b83a8636/sys/net/gnrc/pktbuf_static/gnrc_pktbuf_static.c#L150C1-L150C76
- https://github.com/RIOT-OS/RIOT/releases/tag/2025.10
- https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-v8gx-q9m6-5xm9
- https://github.com/user-attachments/files/23903992/reproducer_1.zip
- https://nvd.nist.gov/vuln/detail/CVE-2025-66646
Affected packages
Git / github.com/riot-os/riot
Affected versions
2013.*
2013.08
2014.*
2014.01
2014.05
2014.12
2015.*
2015.09-RC1
2015.12-RC1
2015.12-devel
2016.*
2016.03-devel
2016.04-RC1
2016.07-RC1
2016.07-RC2
2016.07-devel
2016.10-RC1
2016.10-devel
2017.*
2017.01-RC1
2017.01-devel
2017.04-RC1
2017.04-devel
2017.07-RC1
2017.07-devel
2017.10-RC1
2017.10-devel
2018.*
2018.01-RC1
2018.01-devel
2018.04-RC1
2018.04-devel
2018.07-RC1
2018.07-devel
2018.10-RC1
2018.10-devel
2019.*
2019.01-RC1
2019.01-devel
2019.04-RC1
2019.04-devel
2019.07-RC1
2019.07-devel
2019.10-RC1
2019.10-devel
2020.*
2020.01-RC1
2020.01-devel
2020.04-RC1
2020.04-devel
2020.07-RC1
2020.07-devel
2020.10-RC1
2020.10-devel
2021.*
2021.01-RC1
2021.01-devel
2021.04-RC1
2021.04-devel
2021.07-RC1
2021.07-devel
2021.10-RC1
2021.10-devel
2022.*
2022.01-RC1
2022.01-devel
2022.04-RC1
2022.04-devel
2022.07-RC1
2022.07-devel
2022.10-RC1
2022.10-devel
2023.*
2023.01-RC1
2023.01-devel
2023.04-RC1
2023.04-devel
2023.07-RC1
2023.07-devel
2023.10-RC1
2023.10-devel
2024.*
2024.01-RC1
2024.01-devel
2024.04
2024.04-RC1
2024.04-devel
2024.07-RC1
2024.07-devel
2024.10-RC1
2024.10-devel
2025.*
2025.01-RC1
2025.01-devel
2025.04-RC1
2025.04-devel
2025.07-devel