CVE-2025-66647
📋 TL;DR
A buffer overflow vulnerability in RIOT OS's IPv6 fragmentation reassembly allows attackers to corrupt memory by sending specially crafted IPv6 packets. This affects IoT devices running RIOT OS with the gnrc_ipv6_ext_frag module enabled, potentially leading to remote code execution. The vulnerability requires network access to send IPv6 packets to vulnerable devices.
💻 Affected Systems
- RIOT OS
📦 What is this software?
Riot by Riot Os
Riot by Riot Os
Riot by Riot Os
Riot by Riot Os
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete device compromise, data exfiltration, or device becoming part of a botnet.
Likely Case
Device crash (denial of service) or memory corruption leading to unpredictable behavior.
If Mitigated
Limited impact if network segmentation prevents IPv6 packet injection or if the vulnerable module is disabled.
🎯 Exploit Status
Exploitation requires sending crafted IPv6 packets but no authentication. The attacker needs to understand the fragmentation buffer allocation mechanism.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2025.10
Vendor Advisory: https://github.com/RIOT-OS/RIOT/releases/tag/2025.10
Restart Required: Yes
Instructions:
1. Update RIOT OS to version 2025.10 or later. 2. Rebuild your application with the updated RIOT source. 3. Flash the updated firmware to affected devices. 4. Restart devices to apply the new firmware.
🔧 Temporary Workarounds
Disable IPv6 fragmentation module
allRemove gnrc_ipv6_ext_frag from the build configuration to disable IPv6 fragmentation support.
Remove 'gnrc_ipv6_ext_frag' from USEMODULE in your Makefile or build configuration
Network segmentation
allIsolate IoT devices on separate network segments to prevent unauthorized IPv6 packet injection.
🧯 If You Can't Patch
- Implement strict network ACLs to block IPv6 fragmentation packets from untrusted sources
- Monitor devices for crashes or abnormal behavior indicating potential exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check if RIOT OS version is 2025.07 or earlier AND gnrc_ipv6_ext_frag module is enabled in the build configuration.Check Version:
Check the RIOT_VERSION macro in riotbuild.h or examine the firmware version stringVerify Fix Applied:
Verify RIOT OS version is 2025.10 or later and check that the buffer size validation is present in the gnrc_ipv6_ext_frag.c source file.📡 Detection & Monitoring
Log Indicators:
- Device crashes or reboots
- Memory corruption errors in system logs
- Unexpected packet buffer allocation failures
Network Indicators:
- Unusual IPv6 fragmentation traffic to IoT devices
- Multiple IPv6 fragments with offset=0
- Small initial fragment followed by larger fragment
SIEM Query:
ipv6.fragment.offset == 0 AND (ipv6.fragment.length < expected OR multiple fragments with same offset)🔗 References
- https://github.com/RIOT-OS/RIOT/blob/eb65305cf9f1b7affb50b17af5c12341b83a8636/sys/net/gnrc/network_layer/ipv6/ext/frag/gnrc_ipv6_ext_frag.c#L411
- https://github.com/RIOT-OS/RIOT/blob/eb65305cf9f1b7affb50b17af5c12341b83a8636/sys/net/gnrc/network_layer/ipv6/ext/frag/gnrc_ipv6_ext_frag.c#L481
- https://github.com/RIOT-OS/RIOT/blob/eb65305cf9f1b7affb50b17af5c12341b83a8636/sys/net/gnrc/network_layer/ipv6/ext/frag/gnrc_ipv6_ext_frag.c#L532
- https://github.com/RIOT-OS/RIOT/blob/eb65305cf9f1b7affb50b17af5c12341b83a8636/sys/net/gnrc/network_layer/ipv6/ext/frag/gnrc_ipv6_ext_frag.c#L544
- https://github.com/RIOT-OS/RIOT/releases/tag/2025.10
- https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-wh3v-q6vr-j79r
