Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local CAN-path access with low privileges and no user interaction (AV:L/PR:L/UI:N); stack overflow enabling code execution gives high C/I/A on the single MCU system (S:U).
Primary rating from Vendor (VulDB).
CVSS VectorVendor: VulDB
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
A security flaw has been discovered in RT-Thread up to 5.0.2. Affected by this issue is the function CAN_Receive in the library bsp/synwit/libraries/SWM341_CSL/CMSIS/DeviceSupport/SWM341.h of the component SWM341 CAN Handler. Performing a manipulation results in stack-based buffer overflow. The attack needs to be approached locally. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Stack-based buffer overflow in RT-Thread RTOS (versions up to and including 5.0.2) affects the CAN_Receive function within the Synwit SWM341 board support package's CAN handler, allowing a local low-privileged attacker to corrupt the stack and potentially achieve code execution or crash the device. The flaw carries a CVSS 4.0 base score of 7.1, and publicly available exploit code exists. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local access to the target device and the ability to feed data through the Synwit SWM341 CAN receive path - i.e., the firmware must be built with the SWM341 BSP and actively using the SWM341 CAN handler / CAN_Receive function, and the attacker must be able to inject or manipulate CAN frames reaching that handler. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-supplied CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H) describes a local, low-complexity attack requiring low privileges but no user interaction, with high impact to confidentiality, integrity, and availability of the vulnerable system - hence the 7.1 score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with local access to the device or its CAN bus crafts a malformed CAN frame (or manipulates the received length/data) that is processed by CAN_Receive, overrunning the fixed-size stack buffer. Given CVSS AV:L/AC:L, the attack is low-complexity but requires local proximity to the interface; the overflow overwrites the stack to crash the RTOS task or hijack control flow. … |
| Remediation | No vendor-released patched version has been identified at time of analysis; the vendor was contacted early but did not respond, and the referenced GitHub issue (https://github.com/RT-Thread/rt-thread/issues/11425) documents the bug rather than a tagged fixed release, so a released patched version is not independently confirmed. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Asset discovery-identify all RT-Thread RTOS ≤5.0.2 deployments, particularly Synwit SWM341 board systems with active CAN interfaces; verify production and development environments. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Critical memory corruption vulnerability in RT-Thread 5.1.0's sys_select syscall handler that allows authenticated local
Critical null pointer dereference vulnerability in RT-Thread 5.1.0's lwp_syscall.c csys_sendto function, allowing authen
Critical memory corruption vulnerability in RT-Thread 5.1.0's sys_recvfrom syscall handler that allows authenticated loc
A security vulnerability in A vulnerability classified as critical (CVSS 8.0). Risk factors: public PoC available.
Critical array index validation vulnerability in RT-Thread 5.1.0's signal mask syscall handler that allows authenticated
A vulnerability, which was classified as critical, was found in RT-Thread up to 5.1.0. This affects the function sys_dev
Stack-based buffer overflow in RT-Thread RTOS (versions up to and including 5.0.2) affects the recvmsg function within t
A stack buffer overflow occurs in net/at/src/at_server.c in RT-Thread through 5.0.2. Rated critical severity (CVSS 9.8),
Memory corruption in RT-Thread's Linux-compatible process (lwp) syscall layer allows a local low-privileged user to cras
A vulnerability classified as problematic was found in RT-Thread up to 5.1.0. Rated medium severity (CVSS 4.8), this vul
A buffer overflow occurs in utilities/rt-link/src/rtlink.c in RT-Thread through 5.0.2. Rated high severity (CVSS 8.8), t
A stack buffer overflow occurs in libc/posix/ipc/mqueue.c in RT-Thread through 5.0.2. Rated high severity (CVSS 8.4), th
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41563
GHSA-q2qc-v4ph-4mrq