CVE-2025-66646
📋 TL;DR
A NULL pointer dereference vulnerability in RIOT OS's IPv6 fragmentation reassembly allows remote attackers to crash the operating system by sending specially crafted IPv6 packets. This affects IoT and embedded devices running RIOT OS with the gnrc_ipv6_ext_frag module enabled. The vulnerability results in denial of service (DoS) by causing the OS to crash.
💻 Affected Systems
- RIOT OS
📦 What is this software?
Riot by Riot Os
Riot by Riot Os
Riot by Riot Os
Riot by Riot Os
⚠️ Risk & Real-World Impact
Worst Case
Complete device crash requiring physical reset or power cycle, potentially disrupting critical IoT operations in industrial, medical, or infrastructure systems.
Likely Case
Temporary service disruption until device restarts, affecting device availability and potentially causing data loss in active operations.
If Mitigated
No impact if IPv6 fragmentation is disabled or devices are behind proper network filtering.
🎯 Exploit Status
Exploitation requires sending crafted IPv6 packets with fragment offset 0 and empty payload to trigger the NULL pointer dereference.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v2025.10
Vendor Advisory: https://github.com/RIOT-OS/RIOT/security/advisories
Restart Required: Yes
Instructions:
1. Update RIOT OS to version 2025.10 or later. 2. Rebuild and flash the updated firmware to affected devices. 3. Verify the gnrc_ipv6_ext_frag module is properly patched.
🔧 Temporary Workarounds
Disable IPv6 Fragmentation
allDisable the gnrc_ipv6_ext_frag module in RIOT OS configuration to prevent exploitation.
In RIOT OS configuration: set 'USEMODULE += gnrc_ipv6_ext_frag' to 'USEMODULE -=' or comment out
Network Filtering
linuxBlock IPv6 fragmented packets at network perimeter or firewall.
iptables -A INPUT -p ipv6 --fragment -j DROP
ip6tables -A INPUT -m frag --fragmore -j DROP
🧯 If You Can't Patch
- Disable the gnrc_ipv6_ext_frag module in device configuration
- Implement network-level filtering to block all IPv6 fragmented packets to affected devices
🔍 How to Verify
Check if Vulnerable:
Check if running RIOT OS version 2025.07 or earlier with gnrc_ipv6_ext_frag module enabled in configuration.Check Version:
Check RIOT OS version in source code or device firmware version stringVerify Fix Applied:
Verify RIOT OS version is 2025.10 or later and test with crafted IPv6 fragmented packets with empty payload.📡 Detection & Monitoring
Log Indicators:
- System crash logs
- Kernel panic messages
- Unexpected device reboots
Network Indicators:
- Incoming IPv6 packets with fragment offset 0 and minimal/empty payload
SIEM Query:
source="network" AND protocol="IPv6" AND fragment_offset=0 AND payload_size<10🔗 References
- https://github.com/RIOT-OS/RIOT/blob/eb65305cf9f1b7affb50b17af5c12341b83a8636/sys/net/gnrc/network_layer/ipv6/ext/frag/gnrc_ipv6_ext_frag.c#L411
- https://github.com/RIOT-OS/RIOT/blob/eb65305cf9f1b7affb50b17af5c12341b83a8636/sys/net/gnrc/network_layer/ipv6/ext/frag/gnrc_ipv6_ext_frag.c#L420
- https://github.com/RIOT-OS/RIOT/blob/eb65305cf9f1b7affb50b17af5c12341b83a8636/sys/net/gnrc/network_layer/ipv6/ext/frag/gnrc_ipv6_ext_frag.c#L490
- https://github.com/RIOT-OS/RIOT/blob/eb65305cf9f1b7affb50b17af5c12341b83a8636/sys/net/gnrc/network_layer/ipv6/ext/frag/gnrc_ipv6_ext_frag.c#L532
- https://github.com/RIOT-OS/RIOT/blob/eb65305cf9f1b7affb50b17af5c12341b83a8636/sys/net/gnrc/network_layer/ipv6/ext/frag/gnrc_ipv6_ext_frag.c#L534
- https://github.com/RIOT-OS/RIOT/blob/eb65305cf9f1b7affb50b17af5c12341b83a8636/sys/net/gnrc/network_layer/ipv6/ext/frag/gnrc_ipv6_ext_frag.c#L544
- https://github.com/RIOT-OS/RIOT/blob/eb65305cf9f1b7affb50b17af5c12341b83a8636/sys/net/gnrc/pktbuf_static/gnrc_pktbuf_static.c#L150C1-L150C76
- https://github.com/RIOT-OS/RIOT/releases/tag/2025.10
- https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-v8gx-q9m6-5xm9
- https://github.com/user-attachments/files/23903992/reproducer_1.zip
