CVE-2026-14629 in RT-Threadinfo

Summary

by MITRE • 07/04/2026

A flaw has been found in RT-Thread up to 5.2.2. Affected is the function read/write/sys_ioctl of the file components/lwp/lwp_syscall.c of the component Parameter Handler. Executing a manipulation can lead to divide by zero. The attack may be launched remotely. The exploit has been published and may be used. The pull request to fix this issue awaits acceptance.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/04/2026

The vulnerability identified in RT-Thread versions up to 5.2.2 represents a critical divide-by-zero error within the parameter handler component, specifically affecting the read/write/sys_ioctl functions located in components/lwp/lwp_syscall.c. This flaw manifests as a denial-of-service condition that can be exploited remotely through manipulation of input parameters, making it particularly dangerous for embedded systems and IoT devices that rely on RT-Thread for their operational integrity. The vulnerability stems from inadequate input validation within the system call handling mechanism, where division operations occur without proper checks for zero denominators, creating an exploitable path for attackers to disrupt normal system operation.

The technical nature of this vulnerability places it squarely within CWE-369, which addresses the divide by zero weakness in software systems. The flaw operates at the kernel level within RT-Thread's lightweight process management subsystem, specifically targeting the parameter handling functions that process system calls from user-space applications. When malicious input reaches these functions, particularly through improperly validated parameters during read/write operations or ioctl command processing, the system attempts to perform division operations with zero as the divisor, resulting in immediate system termination or abnormal behavior. This type of vulnerability directly impacts the availability and stability of embedded systems that depend on RT-Thread's process management capabilities.

The operational impact of this vulnerability extends beyond simple system crashes, potentially enabling more sophisticated attacks within the context of the ATT&CK framework under the T1499 sub-technique for network denial-of-service. Remote exploitation allows attackers to target devices running vulnerable RT-Thread versions without requiring physical access or elevated privileges, making it particularly concerning for IoT deployments, industrial control systems, and embedded networking equipment. The availability of published exploits means that this vulnerability can be actively weaponized by threat actors, with the potential for widespread disruption across connected devices that implement affected RT-Thread versions in their firmware implementations.

Mitigation strategies should focus on immediate patch application once the fix is accepted and merged into the official codebase, while also implementing defensive programming practices such as input validation and parameter checking within application code. System administrators should conduct comprehensive inventory assessments to identify all devices running RT-Thread versions 5.2.2 or earlier, particularly those exposed to untrusted network environments. Additional protective measures may include network segmentation, firewall rules that restrict access to system call interfaces, and monitoring for unusual system behavior or crash patterns that might indicate exploitation attempts. The vulnerability highlights the importance of robust input validation in embedded systems development and demonstrates how seemingly simple mathematical operations can create critical security weaknesses when proper error handling is omitted from kernel-level components.

Responsible

VulDB

Disclosure

07/04/2026

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.00309

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!