CVE-2026-22212
MediumCVSS 4.8Exploitation Probability (EPSS)
Low risk3th percentile - higher than 3% of all known CVEs
Summary
A stack-based buffer overflow vulnerability in the mcp2200gpio utility in TinyOS versions up to and including 2.1.2. It is caused by unsafe use of strcpy() and strcat() functions when constructing device paths during automatic device discovery. A local attacker can exploit this by creating specially crafted filenames under /dev/usb/, leading to stack memory corruption and application crashes.
Risk Assessment
The risk for the organization includes potential local code execution or system crashes by an attacker with local access. This could lead to system integrity compromise and potential privilege escalation.
Recommendation
It is recommended to immediately upgrade TinyOS to a version newer than 2.1.2 if available. In the meantime, restrict local access to the system and monitor the /dev/usb/ directory for suspicious files.
Original NVD description (English source)
TinyOS versions up to and including 2.1.2 contain a stack-based buffer overflow vulnerability in the mcp2200gpio utility. The vulnerability is caused by unsafe use of strcpy() and strcat() functions when constructing device paths during automatic device discovery. A local attacker can exploit this by creating specially crafted filenames under /dev/usb/, leading to stack memory corruption and application crashes.

