CVE-2026-22212 - Vulnerability Details

TinyOS versions up to and including 2.1.2 contain a stack-based buffer overflow vulnerability in the mcp2200gpio utility. The vulnerability is caused by unsafe use of strcpy() and strcat() functions when constructing device paths during automatic device discovery. A local attacker can exploit this by creating specially crafted filenames under /dev/usb/, leading to stack memory corruption and application crashes.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Tinyos	Tinyos

No data.

References

Link	Providers
https://github.com/tinyos/tinyos-main
https://seclists.org/fulldisclosure/2026/Jan/14
https://www.vulncheck.com/advisories/tinyos-stack-based-buffer-overflow-in-mcp2200gpio

History

Tue, 13 Jan 2026 09:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Tinyos Tinyos tinyos
Vendors & Products		Tinyos Tinyos tinyos

Mon, 12 Jan 2026 23:15:00 +0000

Type	Values Removed	Values Added
Description		TinyOS versions up to and including 2.1.2 contain a stack-based buffer overflow vulnerability in the mcp2200gpio utility. The vulnerability is caused by unsafe use of strcpy() and strcat() functions when constructing device paths during automatic device discovery. A local attacker can exploit this by creating specially crafted filenames under /dev/usb/, leading to stack memory corruption and application crashes.
Title		TinyOS <= 2.1.2 Stack-Based Buffer Overflow in mcp2200gpio
Weaknesses		CWE-121
References		https://github.com/tinyos/tinyos-main https://seclists.org/fulldisclosure/2026/Jan/14 https://www.vulncheck.com/advisories/tinyos-stack-based-buffer-overflow-in-mcp2200gpio
Metrics		cvssV4_0 `{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2026-01-12T23:02:45.973Z

Updated: 2026-01-12T23:02:45.973Z

Reserved: 2026-01-06T16:47:17.187Z

Link: CVE-2026-22212

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-01-12T23:15:52.140

Modified: 2026-01-12T23:15:52.140

Link: CVE-2026-22212

Redhat

No data.

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object