RIOT is an open-source microcontroller operating system, designed to match the requirements of Internet of Things (IoT) devices and other embedded devices. In 2…

RIOT open-source microcontroller operating system for IoT devices contains a critical buffer overflow vulnerability in version 2026.01 and earlier. The vulnerability exists in the coap_well_known_core_default_handler function which writes user-provided data to a fixed-size buffer without proper validation. Attackers can exploit this flaw to corrupt stack memory, including security-sensitive addresses like return addresses. This can lead to denial of service attacks or arbitrary code execution on affected IoT devices. The vulnerability affects the well_known_core resource handler in the CoAP implementation.