RIOT OS Buffer Overflow Vulnerability in IPv6 Fragmentation Reassembly

A buffer overflow vulnerability has been identified in RIOT OS version 2025.07, specifically within the IPv6 fragmentation reassembly process. The issue arises because the implementation fails to perform size checks when copying data from the first fragment into the reassembly buffer. This oversight allows for the creation of a smaller reassembly buffer by initially sending a shorter fragment. Consequently, an attacker could exploit this flaw by sending two IPv6 packets with the same fragment ID and an offset of 0, leading to a buffer overflow that corrupts the state of other packet buffers and potentially allows for remote code execution.

Impact

Exploitation of this vulnerability causes a buffer overflow that can corrupt the metadata and data of other packet buffers in memory. This corruption can lead to a denial-of-service condition, where the operating system crashes, or it can be manipulated to overwrite arbitrary memory, potentially resulting in remote code execution.

Reproduction

The vulnerability can be reproduced by sending two IPv6 packets with the same fragment ID and an offset of 0. The first packet should be smaller, creating a limited reassembly buffer. When the second, larger packet is received, it overflows the reassembly buffer, leading to memory corruption. This can be done using a provided exploit script after compiling an example application that enables the 'gnrc_ipv6_ext_frag' module.

Remediation

Users can upgrade to RIOT OS version 2025.10 or later, where this vulnerability has been fixed.