CVE-2024-31225 – CVE-2024-31225 is a buffer overflow vulnerabili... (How to Fix)

📋 TL;DR

CVE-2024-31225 is a buffer overflow vulnerability in RIOT OS's _on_rd_init() function that lacks bounds checking when copying data to a static buffer. This allows attackers to potentially execute arbitrary code or cause denial of service on affected devices. The vulnerability affects systems running RIOT OS with the cord/lc module enabled.

💻 Affected Systems

Products:

RIOT OS

Versions: All versions up to and including current release (as of advisory date)

Operating Systems: RIOT OS

Default Config Vulnerable: ⚠️ Yes

Notes: Requires cord/lc module to be enabled and used in the application

📦 What is this software?

Riot by Riot Os

View all CVEs affecting Riot →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, data exfiltration, or persistent backdoor installation

🟠

Likely Case

Denial of service causing device crashes or instability in constrained IoT environments

🟢

If Mitigated

Controlled crash with device restart if bounds checking is implemented

🌐 Internet-Facing: HIGH - IoT devices often have internet exposure and limited security controls

🏢 Internal Only: MEDIUM - Internal IoT networks may still be vulnerable to lateral movement

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires sending specially crafted network packets to vulnerable devices

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-2572-7q7c-3965

Restart Required: Yes

Instructions:

1. Monitor RIOT GitHub for official patch release
2. Apply patch when available
3. Recompile and redeploy firmware to affected devices

🔧 Temporary Workarounds

Manual bounds checking implementation

all

Add size validation before copying data to _result_buf in _on_rd_init() function

Edit cord_lc.c file at line 218 and add bounds checking logic

Disable cord/lc module

all

Remove or disable the vulnerable cord/lc module if not required

Modify application configuration to exclude cord/lc module

🧯 If You Can't Patch

Segment IoT devices on isolated network segments with strict firewall rules
Implement network monitoring for abnormal packet sizes targeting cord/lc services

🔍 How to Verify

Check if Vulnerable:

Check if RIOT OS version includes cord/lc.c file and verify _on_rd_init() function lacks bounds checking

Check Version:

Check RIOT OS version in build configuration or via device firmware query

Verify Fix Applied:

Verify bounds checking has been added to _on_rd_init() function in cord_lc.c

📡 Detection & Monitoring

Log Indicators:

Device crashes, abnormal restarts, memory corruption errors

Network Indicators:

Unusually large packets sent to cord/lc services on RIOT devices

SIEM Query:

source_ip sends packet_size > [threshold] to destination_port [cord/lc_port]

📊 Metadata

CVE ID: CVE-2024-31225

CVSS v3 Score: 8.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-120

Published: May 1, 2024

Last Updated: September 4, 2025

🔗 References

http://seclists.org/fulldisclosure/2024/May/7 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2024/05/07/3 Mailing List,Third Party Advisory
https://github.com/RIOT-OS/RIOT/blob/master/sys/net/application_layer/cord/lc/cord_lc.c#L218 Product
https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-2572-7q7c-3965 Exploit,Vendor Advisory
http://seclists.org/fulldisclosure/2024/May/7 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2024/05/07/3 Mailing List,Third Party Advisory
https://github.com/RIOT-OS/RIOT/blob/master/sys/net/application_layer/cord/lc/cord_lc.c#L218 Product
https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-2572-7q7c-3965 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-31225, you might also want to check these: