Threat Entry Updated 2026-01-14

CVE-2026-22211 - TinyOS Plugin

TinyOS versions up to and including 2.1.2 contain a global buffer overflow vulnerability in the printfUART formatted output implementation used within the ZigBee / IEEE 802.15.4 networking stack. The implementation formats output into a fixed-size global buffer and concatenates strings for %s format specifiers using strcat() without verifying remaining buffer capacity. When printfUART is invoked with a caller-controlled string longer than the available space, the unbounded sprintf/strcat sequence writes past the end of debugbuf, resulting in global memory corruption. This can cause denial of service, unintended behavior, or information disclosure…

PLUGIN TinyOS

CVE-2026-22211

MEDIUM CVSS 5.1 2026-01-14

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-01-13

CVE-2026-22212 - TinyOS Plugin

TinyOS versions up to and including 2.1.2 contain a stack-based buffer overflow vulnerability in the mcp2200gpio utility. The vulnerability is caused by unsafe use of strcpy() and strcat() functions when constructing device paths during automatic device discovery. A local attacker can exploit this by creating specially crafted filenames under /dev/usb/, leading to stack memory corruption and application crashes.

PLUGIN TinyOS

CVE-2026-22212

MEDIUM CVSS 4.8 2026-01-12

Risk Score

Open Full Technical Breakdown