Vulnerability Description
RIOT is an open-source microcontroller operating system, designed to match the requirements of Internet of Things (IoT) devices and other embedded devices. In 2026.01 and earlier, the default handler for the well_known_core resource coap_well_known_core_default_handler writes user-provided option data and other data into a fixed size buffer without validating the buffer is large enough to contain the response. This vulnerability allows an attacker to corrupt neighboring stack location, including security-sensitive addresses like the return address, leading to denial of service or arbitrary code execution.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Riot-Os | Riot | <= 2026.01 |
Related Weaknesses (CWE)
References
- https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-qgj4-9jff-93cjExploitVendor Advisory
FAQ
What is CVE-2026-27703?
CVE-2026-27703 is a vulnerability with a CVSS score of 7.5 (HIGH). RIOT is an open-source microcontroller operating system, designed to match the requirements of Internet of Things (IoT) devices and other embedded devices. In 2026.01 and earlier, the default handler ...
How severe is CVE-2026-27703?
CVE-2026-27703 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-27703?
Check the references section above for vendor advisories and patch information. Affected products include: Riot-Os Riot.