CVE-2025-66646 in RIOT-OS
Summary
by MITRE • 12/17/2025
RIOT is an open-source microcontroller operating system, designed to match the requirements of Internet of Things (IoT) devices and other embedded devices. A vulnerability was discovered in the IPv6 fragmentation reassembly implementation of RIOT OS v2025.07. When receiving an fragmented IPv6 packet with fragment offset 0 and an empty payload, the payload pointer is set to NULL. However, the implementation still tries to copy the payload into the reassembly buffer, resulting in a NULL pointer dereference which crashes the OS (DoS). To trigger the vulnerability, the `gnrc_ipv6_ext_frag` module must be enabled and the attacker must be able to send arbitrary IPv6 packets to the victim. RIOT OS v2025.10 fixes the issue.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/22/2026
The vulnerability identified as CVE-2025-66646 resides within the RIOT operating system's IPv6 fragmentation reassembly mechanism, representing a critical security flaw that compromises system stability and availability. This issue specifically affects RIOT OS version 2025.07 and demonstrates a fundamental flaw in how the system handles fragmented IPv6 packets, particularly those with fragment offset 0 and empty payloads. The vulnerability exploits a logical error in the network stack implementation where the system correctly identifies that the payload pointer should be NULL for such packets but fails to prevent subsequent operations that attempt to copy data into the reassembly buffer. This discrepancy creates a direct path to system crash through NULL pointer dereference, fundamentally undermining the reliability of IoT devices running this operating system.
The technical implementation flaw stems from inadequate null pointer validation within the gnrc_ipv6_ext_frag module, which is responsible for handling IPv6 fragment reassembly operations. When an attacker sends a malformed IPv6 packet with fragment offset 0 and empty payload, the system's packet processing logic sets the payload pointer to NULL to indicate the absence of data. However, the subsequent reassembly logic does not check for this NULL condition before attempting to copy data from the payload into the reassembly buffer, resulting in immediate system termination. This behavior aligns with CWE-476, which categorizes NULL pointer dereference vulnerabilities as a common weakness in software security, particularly in embedded systems where memory management and error handling are critical. The vulnerability operates at the network protocol layer and represents a classic case of insufficient input validation that can be exploited through crafted network traffic.
From an operational perspective, this vulnerability presents a significant denial-of-service threat to IoT deployments using RIOT OS, as it requires minimal prerequisites for exploitation. The attack vector necessitates only that the gnrc_ipv6_ext_frag module be enabled on the target device, which is a common configuration in IoT environments that support IPv6 networking. Attackers can trigger the vulnerability by simply sending specially crafted IPv6 packets to the victim device, making this a remotely exploitable flaw with potentially wide-reaching consequences across deployed IoT infrastructure. The impact extends beyond simple service disruption, as the crash can occur at any time during network operation, potentially leading to extended downtime for critical IoT devices such as sensors, actuators, or communication hubs that depend on continuous network connectivity. This vulnerability particularly affects environments where devices are deployed in remote or inaccessible locations, where immediate recovery from such crashes may not be feasible.
The mitigation strategy for CVE-2025-66646 involves immediate deployment of RIOT OS version 2025.10, which contains the necessary patch to resolve the NULL pointer dereference issue. Organizations should conduct thorough vulnerability assessments of their IoT deployments to identify systems running affected RIOT OS versions and prioritize their remediation. The fix implemented in version 2025.10 likely includes enhanced null pointer validation in the packet processing logic, ensuring that the reassembly buffer copy operation is only performed when a valid payload pointer exists. Network administrators should also consider implementing additional monitoring and intrusion detection systems to identify potential exploitation attempts, as the vulnerability may be used as a precursor to more sophisticated attacks targeting IoT devices. The remediation process should include comprehensive testing to ensure that the patch does not introduce compatibility issues with existing network applications or device functionality, while also maintaining compliance with industry standards such as those outlined in the NIST Cybersecurity Framework for IoT security management.