Skip to main content

RT-Thread CVE-2026-14607

| EUVDEUVD-2026-41564 MEDIUM
Buffer Overflow (CWE-119)
2026-07-03 VulDB GHSA-g6q3-rr42-f5h7
5.4
CVSS 4.0 · Vendor: VulDB
Share

Severity by source

Vendor (VulDB) PRIMARY
5.4 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.5 MEDIUM

Local-only vector (AV:L) with low privilege required (PR:L); memory corruption causes kernel crash so A:H; no confidentiality or integrity impact indicated by description or CVSS 4.0 source data.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
CVSS changed
Jul 03, 2026 - 20:22 NVD
6.8 (MEDIUM) 5.4 (MEDIUM)
Analysis Generated
Jul 03, 2026 - 20:16 vuln.today

DescriptionCVE.org

A weakness has been identified in RT-Thread up to 5.0.2. This affects the function sys_getaddrinfo of the file components/lwp/lwp_syscall.c. Executing a manipulation of the argument ai_addr can lead to memory corruption. The attack can only be executed locally. The exploit has been made available to the public and could be used for attacks. The pull request to fix this issue awaits acceptance.

AnalysisAI

Memory corruption in RT-Thread's Linux-compatible process (lwp) syscall layer allows a local low-privileged user to crash the RTOS kernel by supplying a crafted ai_addr argument to the sys_getaddrinfo handler in components/lwp/lwp_syscall.c. All RT-Thread versions through 5.0.2 are affected, with impact limited to availability (VA:H) - no confidentiality or integrity loss is indicated. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Gain low-privilege local execution on RT-Thread device
Delivery
Confirm lwp subsystem is active
Exploit
Craft malicious ai_addr argument
Install
Invoke sys_getaddrinfo syscall
C2
Trigger out-of-bounds memory write in kernel
Execute
Corrupt kernel memory structures
Impact
System crash (denial of service)

Vulnerability AssessmentAI

Exploitation Exploitation requires the target device to be running RT-Thread version 5.0.2 or earlier with the lwp (Linux-compatible process) subsystem compiled and active - this is not enabled in all RT-Thread configurations and represents a specific build-time choice. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N) with E:P supplemental metric accurately characterizes the threat: local-only access, low complexity, low privilege, no interaction, and exclusively availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged application or user process running on an RT-Thread 5.0.2 device with lwp enabled calls `getaddrinfo()` with a specially crafted `ai_addr` pointer argument, which the kernel-side `sys_getaddrinfo` handler writes to without adequate bounds validation. The resulting out-of-bounds memory corruption in kernel space causes the RT-Thread kernel to crash, taking down all processes and services on the device. …
Remediation No officially released patched version is available at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-5865 HIGH POC
8.0 Jun 09

Critical memory corruption vulnerability in RT-Thread 5.1.0's sys_select syscall handler that allows authenticated local

CVE-2025-5867 HIGH POC
8.0 Jun 09

Critical null pointer dereference vulnerability in RT-Thread 5.1.0's lwp_syscall.c csys_sendto function, allowing authen

CVE-2025-5869 HIGH POC
8.0 Jun 09

Critical memory corruption vulnerability in RT-Thread 5.1.0's sys_recvfrom syscall handler that allows authenticated loc

CVE-2025-5866 HIGH POC
8.0 Jun 09

A security vulnerability in A vulnerability classified as critical (CVSS 8.0). Risk factors: public PoC available.

CVE-2025-5868 HIGH POC
8.0 Jun 09

Critical array index validation vulnerability in RT-Thread 5.1.0's signal mask syscall handler that allows authenticated

CVE-2025-6693 HIGH POC
7.8 Jun 26

A vulnerability, which was classified as critical, was found in RT-Thread up to 5.1.0. This affects the function sys_dev

CVE-2026-14606 HIGH POC
7.1 Jul 03

Stack-based buffer overflow in RT-Thread RTOS (versions up to and including 5.0.2) affects the CAN_Receive function with

CVE-2026-14605 HIGH POC
7.1 Jul 03

Stack-based buffer overflow in RT-Thread RTOS (versions up to and including 5.0.2) affects the recvmsg function within t

CVE-2024-25393 CRITICAL
9.8 Mar 27

A stack buffer overflow occurs in net/at/src/at_server.c in RT-Thread through 5.0.2. Rated critical severity (CVSS 9.8),

CVE-2025-1115 MEDIUM POC
4.8 Feb 08

A vulnerability classified as problematic was found in RT-Thread up to 5.1.0. Rated medium severity (CVSS 4.8), this vul

CVE-2024-25395 HIGH
8.8 Mar 27

A buffer overflow occurs in utilities/rt-link/src/rtlink.c in RT-Thread through 5.0.2. Rated high severity (CVSS 8.8), t

CVE-2024-25391 HIGH
8.4 Mar 27

A stack buffer overflow occurs in libc/posix/ipc/mqueue.c in RT-Thread through 5.0.2. Rated high severity (CVSS 8.4), th

Share

CVE-2026-14607 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy