CVE-2025-66646

CVE-2025-66646 is a high-severity vulnerability in Riot-os Riot with a CVSS 3.x base score of 7.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-476.

Key facts

Description

RIOT is an open-source microcontroller operating system, designed to match the requirements of Internet of Things (IoT) devices and other embedded devices. A vulnerability was discovered in the IPv6 fragmentation reassembly implementation of RIOT OS v2025.07. When receiving an fragmented IPv6 packet with fragment offset 0 and an empty payload, the payload pointer is set to NULL. However, the implementation still tries to copy the payload into the reassembly buffer, resulting in a NULL pointer dereference which crashes the OS (DoS). To trigger the vulnerability, the `gnrc_ipv6_ext_frag` module must be enabled and the attacker must be able to send arbitrary IPv6 packets to the victim. RIOT OS v2025.10 fixes the issue.

Frequently asked questions

What is CVE-2025-66646?
RIOT is an open-source microcontroller operating system, designed to match the requirements of Internet of Things (IoT) devices and other embedded devices. A vulnerability was discovered in the IPv6 fragmentation reassembly implementation of RIOT OS v2025.07. When receiving an fragmented IPv6 packet with fragment offset 0 and an empty payload, the payload pointer is set to NULL. However, the implementation still tries to copy the payload into the reassembly buffer, resulting in a NULL pointer dereference which crashes the OS (DoS). To trigger the vulnerability, the `gnrc_ipv6_ext_frag` module must be enabled and the attacker must be able to send arbitrary IPv6 packets to the victim. RIOT OS v2025.10 fixes the issue.
How severe is CVE-2025-66646?
CVE-2025-66646 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity none, and availability high.
Is CVE-2025-66646 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (43rd percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2025-66646?
CVE-2025-66646 primarily affects Riot-os Riot. In total, 4 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2025-66646?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
Does CVE-2025-66646 have an EU (EUVD) identifier?
Yes. CVE-2025-66646 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-203929.
When was CVE-2025-66646 published?
CVE-2025-66646 was published on 2025-12-17 and last updated on 2026-06-17.

References

Affected products (4)

More vulnerabilities in Riot-os Riot

All CVEs affecting Riot-os Riot →

Other CWE-476 (NULL Pointer Dereference) vulnerabilities

Browse all CWE-476 (NULL Pointer Dereference) vulnerabilities →