EUVD-2025-17440CVSS Vector
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Tags
Description
A vulnerability was found in RT-Thread 5.1.0. It has been rated as critical. Affected by this issue is the function sys_select of the file rt-thread/components/lwp/lwp_syscall.c of the component Parameter Handler. The manipulation of the argument timeout leads to memory corruption. The vendor explains, that "[t]he timeout parameter should be checked to check if it can be accessed correctly in kernel mode and used temporarily in kernel memory."
Analysis
Critical memory corruption vulnerability in RT-Thread 5.1.0's sys_select syscall handler that allows authenticated local attackers to corrupt kernel memory by manipulating the timeout parameter. The vulnerability affects the lwp (lightweight process) component and has a CVSS score of 8.0 with potential for code execution, information disclosure, and denial of service. No public exploit code or active in-the-wild exploitation has been confirmed at this time, but the critical severity rating and memory corruption nature warrant immediate patching.
Technical Context
RT-Thread is a real-time operating system commonly deployed in embedded and IoT devices. The vulnerability exists in rt-thread/components/lwp/lwp_syscall.c, specifically in the sys_select function which implements the POSIX select() syscall. The lwp component provides lightweight process support and user-space syscall handling. CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) indicates an out-of-bounds memory access issue. The root cause is insufficient validation of the timeout parameter before it is accessed in kernel mode and stored in kernel memory. The timeout parameter, when passed from user-space applications, is not properly checked for validity before kernel use, allowing attackers to write arbitrary values to kernel memory regions or cause buffer overflows. This is a classic boundary condition vulnerability in kernel parameter marshalling where user-supplied data crosses the privilege boundary without adequate sanitization.
Affected Products
RT-Thread version 5.1.0 is explicitly affected. The vulnerability is localized to the lwp (lightweight process) component, suggesting it impacts RT-Thread configurations that enable user-space process support. CPE data would typically be: cpe:2.3:a:rt-thread:rt-thread:5.1.0:*:*:*:*:*:*:*. Related versions (5.0.x, 5.1.1+) should be evaluated for similar issues. The vulnerability specifically affects the sys_select syscall handler, so any application or system relying on select() for I/O multiplexing is potentially affected. Embedded systems, IoT devices, real-time control systems, and industrial automation platforms running RT-Thread 5.1.0 with user-space process support enabled are in scope.
Remediation
Immediate patching is required. RT-Thread developers should have released a patched version following CVE disclosure. Users should: 1) Update to the latest RT-Thread version >= 5.1.1 or apply the security patch from the vendor; 2) The fix involves proper validation and bounds-checking of the timeout parameter in sys_select before kernel use, including verification that the timeout pointer is accessible in user-space and safe for kernel-mode dereferencing; 3) If immediate patching is not feasible, disable or restrict use of select() syscalls where possible, or limit process privilege levels to reduce attack surface. Vendor advisory links and patch binaries should be obtained from the official RT-Thread GitHub repository (https://github.com/RT-Thread/rt-thread) or security advisories page. Enable kernel memory protection features (ASLR, DEP/NX if supported) to limit exploitation impact.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today