CVE-2025-5868

| EUVD-2025-17441 HIGH
2025-06-09 [email protected]
8.0
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Mar 14, 2026 - 19:21 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 19:21 euvd
EUVD-2025-17441
PoC Detected
Jul 11, 2025 - 18:11 vuln.today
Public exploit code
CVE Published
Jun 09, 2025 - 08:15 nvd
HIGH 8.0

Tags

Information Disclosure Rt Thread

Description

A vulnerability, which was classified as critical, has been found in RT-Thread 5.1.0. This issue affects the function sys_thread_sigprocmask of the file rt-thread/components/lwp/lwp_syscall.c. The manipulation of the argument how leads to improper validation of array index.

Analysis

Critical array index validation vulnerability in RT-Thread 5.1.0's signal mask syscall handler that allows authenticated local attackers to read and modify kernel memory with high impact. The vulnerability exists in the sys_thread_sigprocmask function where improper validation of the 'how' parameter enables out-of-bounds array access, potentially leading to privilege escalation or denial of service. This is an actively exploitable vulnerability requiring local access and low privileges with no user interaction needed.

Technical Context

RT-Thread is a real-time operating system kernel commonly used in embedded IoT and microcontroller applications. The vulnerability resides in the lwp (Lightweight Process) syscall interface at rt-thread/components/lwp/lwp_syscall.c, specifically in the sys_thread_sigprocmask function. This function implements POSIX signal masking functionality (pthread_sigmask equivalent) but fails to properly validate the 'how' parameter before using it as an array index. CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) indicates the root cause is insufficient bounds checking on array indexing, allowing reads/writes beyond allocated buffer boundaries. The 'how' parameter should be validated against a limited set of valid values (typically SIG_BLOCK, SIG_UNBLOCK, SIG_SETMASK) before being used to index into kernel data structures.

Affected Products

- product: RT-Thread; affected_version: 5.1.0; cpe: cpe:2.3:o:rt-thread:rt-thread:5.1.0:*:*:*:*:*:*:*; component: lwp (Lightweight Process) subsystem; file: rt-thread/components/lwp/lwp_syscall.c; function: sys_thread_sigprocmask

Remediation

Immediate actions: (1) Upgrade to a patched version of RT-Thread beyond 5.1.0 when available from the RT-Thread project repositories. Check rt-thread.io or GitHub (github.com/RT-Thread/rt-thread) for security advisories and patches. (2) If immediate patching is not possible, implement input validation in sys_thread_sigprocmask to explicitly check that the 'how' parameter is one of the valid POSIX values (SIG_BLOCK=0, SIG_UNBLOCK=1, SIG_SETMASK=2) before using it as an array index—reject any other values with -EINVAL. (3) Consider restricting signal mask syscalls via security policies if not required for the application. (4) Apply principle of least privilege to minimize user accounts with syscall access in production deployments. Monitor RT-Thread security bulletins and community advisories for patch release timelines.

Priority Score

60
Low Medium High Critical
KEV: 0
EPSS: +0.3
CVSS: +40
POC: +20

Share

CVE-2025-5868 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy