Skip to content
Threat Feed
high advisory

CVE-2026-14605: RT-Thread Stack-based Buffer Overflow

A stack-based buffer overflow vulnerability (CVE-2026-14605) exists in the `recvmsg` function of the `ls1c CAN Handler` component within RT-Thread up to version 5.0.2, requiring local access for exploitation and having a publicly available exploit, potentially leading to high impact on confidentiality, integrity, and availability.

A critical stack-based buffer overflow vulnerability, identified as CVE-2026-14605, has been discovered in RT-Thread, an open-source real-time operating system, affecting versions up to 5.0.2. The flaw resides specifically within the recvmsg function in the bsp/loongson/ls1cdev/libraries/ls1c_can.h library, part of the ls1c CAN Handler component. Exploitation of this vulnerability necessitates local access to the affected system, meaning an attacker must already have a foothold on the device. A public exploit for this vulnerability is available, increasing the likelihood of its use by malicious actors. The vendor, RT-Thread, was contacted regarding this disclosure but has not provided a response, leaving affected systems at risk. This vulnerability poses a significant threat to the confidentiality, integrity, and availability of systems utilizing affected RT-Thread versions.

Impact

The successful exploitation of CVE-2026-14605, a stack-based buffer overflow, could lead to a complete compromise of the affected RT-Thread system. With high impact on confidentiality, integrity, and availability (CVSS 3.1 Base Score 7.8), attackers could potentially execute arbitrary code with elevated privileges, gain full control over the embedded device, or cause system instability and denial of service. Since RT-Thread is commonly used in embedded systems and IoT devices, successful exploitation could have severe consequences ranging from data exfiltration and intellectual property theft to physical disruption of critical infrastructure or industrial control systems.

Recommendation

  • Immediately patch or update RT-Thread installations to a version beyond 5.0.2 to remediate CVE-2026-14605.
  • Restrict local access to all devices running affected RT-Thread versions as exploitation of CVE-2026-14605 requires local access.
  • Monitor for any unusual activity or process behavior on devices running RT-Thread, especially after any local access event, given the public availability of an exploit for CVE-2026-14605.