RIOT Operating System Out-of-Bounds Write Vulnerability in nanoCoAP Handler Allowing Memory Corruption

An out-of-bounds write vulnerability has been identified in the RIOT operating system, specifically in versions through 2026.01. The issue arises in the default handler for the well_known_core resource, coap_well_known_core_default_handler, which writes user-provided option data into a fixed-size buffer without proper validation. This flaw can be exploited to corrupt adjacent stack memory, including critical security-related addresses such as the return address. The vulnerability could lead to a denial-of-service condition or allow arbitrary code execution.

Impact

Exploitation of this vulnerability can cause stack memory corruption, overwriting of sensitive data and addresses, and potentially hijacking of the server's execution, particularly in embedded systems lacking memory protections.

Reproduction

To reproduce this vulnerability, deploy a RIOT application version 2026.01 or earlier that uses the nanoCoAP server implementation and exposes the well-known/core resource to untrusted clients. Ensure that the extended token length feature is supported. Once the server is running, send a CoAP packet with a header and extended token length greater than 112 bytes. The packet will be processed by the vulnerable handler, which will write the unchecked data into the fixed-size buffer, leading to memory corruption.