Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
14 vulnerabilities found for FreeRTOS-Plus-TCP by AWS
CVE-2026-7426 (GCVE-0-2026-7426)
Vulnerability from nvd – Published: 2026-04-29 18:53 – Updated: 2026-04-29 22:14
VLAI
Title
Out-of-Bounds Write via Unsanitized Prefix Length in Router Advertisement Processing in FreeRTOS-Plus-TCP
Summary
Insufficient validation of the prefix length field in IPv6 Router Advertisement processing in FreeRTOS-Plus-TCP before V4.2.6 and V4.4.1 allows an adjacent network actor to cause memory corruption by sending a crafted Router Advertisement with a prefix length value exceeding the maximum valid length, resulting in a heap buffer overflow. Users processing IPv4 RA only are not impacted.
To mitigate this issue, users should upgrade to the fixed version when available.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/rel… | patch |
| https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/rel… | patch |
| https://aws.amazon.com/security/security-bulletin… | vendor-advisory |
| https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/sec… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| AWS | FreeRTOS-Plus-TCP |
Affected:
4.0.0 , < 4.2.6
(semver)
Affected: 4.3.0 , < 4.4.1 (semver) Unaffected: 4.2.6 Unaffected: 4.4.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7426",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-29T19:33:03.058186Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-29T19:33:24.116Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/FreeRTOS/FreeRTOS-Plus-TCP",
"defaultStatus": "unaffected",
"product": "FreeRTOS-Plus-TCP",
"vendor": "AWS",
"versions": [
{
"lessThan": "4.2.6",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
},
{
"lessThan": "4.4.1",
"status": "affected",
"version": "4.3.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "4.2.6"
},
{
"status": "unaffected",
"version": "4.4.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eInsufficient validation of the prefix length field in IPv6 Router Advertisement processing in FreeRTOS-Plus-TCP before V4.2.6 and V4.4.1 allows an adjacent network actor to cause memory corruption by sending a crafted Router Advertisement with a prefix length value exceeding the maximum valid length, resulting in a heap buffer overflow. Users processing IPv4 RA only are not impacted.\u003c/p\u003e\u003cp\u003eTo mitigate this issue, users should upgrade to the fixed version when available.\u003c/p\u003e"
}
],
"value": "Insufficient validation of the prefix length field in IPv6 Router Advertisement processing in FreeRTOS-Plus-TCP before V4.2.6 and V4.4.1 allows an adjacent network actor to cause memory corruption by sending a crafted Router Advertisement with a prefix length value exceeding the maximum valid length, resulting in a heap buffer overflow. Users processing IPv4 RA only are not impacted.\n\n\n\nTo mitigate this issue, users should upgrade to the fixed version when available."
}
],
"impacts": [
{
"capecId": "CAPEC-153",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-153: Input Data Manipulation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "ADJACENT",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787: Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-29T22:14:34.199Z",
"orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"shortName": "AMZN"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/releases/tag/V4.4.1"
},
{
"tags": [
"patch"
],
"url": "https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/releases/tag/V4.2.6"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://aws.amazon.com/security/security-bulletins/2026-023-aws/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/security/advisories/GHSA-97qg-4359-xm3x"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Out-of-Bounds Write via Unsanitized Prefix Length in Router Advertisement Processing in FreeRTOS-Plus-TCP",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"assignerShortName": "AMZN",
"cveId": "CVE-2026-7426",
"datePublished": "2026-04-29T18:53:52.187Z",
"dateReserved": "2026-04-29T14:27:53.201Z",
"dateUpdated": "2026-04-29T22:14:34.199Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7425 (GCVE-0-2026-7425)
Vulnerability from nvd – Published: 2026-04-29 18:52 – Updated: 2026-04-29 22:14
VLAI
Title
Out-of-Bounds Read in Router Advertisement Option Parser in FreeRTOS-Plus-TCP
Summary
Insufficient option length validation in the IPv6 Router Advertisement parser in FreeRTOS-Plus-TCP before V4.2.6 and V4.4.1 allows an adjacent network actor to cause a denial of service (device crash) by sending a crafted Router Advertisement with a truncated PREFIX_INFORMATION option that is smaller than the expected structure size.
To mitigate this issue, users should upgrade to the fixed version when available.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/rel… | patch |
| https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/rel… | patch |
| https://aws.amazon.com/security/security-bulletin… | vendor-advisory |
| https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/sec… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| AWS | FreeRTOS-Plus-TCP |
Affected:
4.0.0 , < 4.2.6
(semver)
Affected: 4.3.0 , < 4.4.1 (semver) Unaffected: 4.2.6 Unaffected: 4.4.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7425",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-29T19:32:41.101290Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-29T19:32:50.124Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/FreeRTOS/FreeRTOS-Plus-TCP",
"defaultStatus": "unaffected",
"product": "FreeRTOS-Plus-TCP",
"vendor": "AWS",
"versions": [
{
"lessThan": "4.2.6",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
},
{
"lessThan": "4.4.1",
"status": "affected",
"version": "4.3.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "4.2.6"
},
{
"status": "unaffected",
"version": "4.4.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eInsufficient option length validation in the IPv6 Router Advertisement parser in FreeRTOS-Plus-TCP before V4.2.6 and V4.4.1 allows an adjacent network actor to cause a denial of service (device crash) by sending a crafted Router Advertisement with a truncated PREFIX_INFORMATION option that is smaller than the expected structure size.\u003c/p\u003e\u003cp\u003eTo mitigate this issue, users should upgrade to the fixed version when available.\u003c/p\u003e"
}
],
"value": "Insufficient option length validation in the IPv6 Router Advertisement parser in FreeRTOS-Plus-TCP before V4.2.6 and V4.4.1 allows an adjacent network actor to cause a denial of service (device crash) by sending a crafted Router Advertisement with a truncated PREFIX_INFORMATION option that is smaller than the expected structure size.\n\n\n\nTo mitigate this issue, users should upgrade to the fixed version when available."
}
],
"impacts": [
{
"capecId": "CAPEC-153",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-153: Input Data Manipulation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "ADJACENT",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125: Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-29T22:14:08.753Z",
"orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"shortName": "AMZN"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/releases/tag/V4.4.1"
},
{
"tags": [
"patch"
],
"url": "https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/releases/tag/V4.2.6"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://aws.amazon.com/security/security-bulletins/2026-023-aws/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/security/advisories/GHSA-gffr-xgjg-jh9j"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Out-of-Bounds Read in Router Advertisement Option Parser in FreeRTOS-Plus-TCP",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"assignerShortName": "AMZN",
"cveId": "CVE-2026-7425",
"datePublished": "2026-04-29T18:52:36.439Z",
"dateReserved": "2026-04-29T14:27:51.904Z",
"dateUpdated": "2026-04-29T22:14:08.753Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7424 (GCVE-0-2026-7424)
Vulnerability from nvd – Published: 2026-04-29 18:51 – Updated: 2026-04-29 22:13
VLAI
Title
Integer Underflow in DHCPv6 Sub-Option Parser in FreeRTOS-Plus-TCP
Summary
Integer underflow in the DHCPv6 sub-option parser in FreeRTOS-Plus-TCP before V4.4.1 and V4.2.6 allows an adjacent network actor to corrupt the device's IPv6 address assignment, DNS configuration, and lease times, and to cause a denial of service (permanent IP task freeze requiring hardware reset) by sending a single crafted DHCPv6 packet.
The issue is present whenever DHCPv6 is enabled.
To mitigate this issue, users should upgrade to version V4.2.6 or V4.4.1 or newer.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-191 - Integer Underflow (Wrap or Wraparound)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/rel… | patch |
| https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/rel… | patch |
| https://aws.amazon.com/security/security-bulletin… | vendor-advisory |
| https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/sec… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| AWS | FreeRTOS-Plus-TCP |
Affected:
4.0.0 , < 4.2.6
(semver)
Affected: 4.3.0 , < 4.4.1 (semver) Unaffected: 4.2.6 Unaffected: 4.4.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7424",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-29T19:08:53.836749Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-29T19:09:03.842Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/FreeRTOS/FreeRTOS-Plus-TCP",
"defaultStatus": "unaffected",
"product": "FreeRTOS-Plus-TCP",
"vendor": "AWS",
"versions": [
{
"lessThan": "4.2.6",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
},
{
"lessThan": "4.4.1",
"status": "affected",
"version": "4.3.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "4.2.6"
},
{
"status": "unaffected",
"version": "4.4.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eInteger underflow in the DHCPv6 sub-option parser in FreeRTOS-Plus-TCP before V4.4.1 and V4.2.6 allows an adjacent network actor to corrupt the device\u0027s IPv6 address assignment, DNS configuration, and lease times, and to cause a denial of service (permanent IP task freeze requiring hardware reset) by sending a single crafted DHCPv6 packet.\u003c/p\u003e\u003cp\u003e\u003cbr\u003e\u003c/p\u003e\u003cp\u003eThe issue is present whenever DHCPv6 is enabled.\u003c/p\u003e\u003cp\u003e\u003cbr\u003e\u003c/p\u003e\u003cp\u003eTo mitigate this issue, users should upgrade to version V4.2.6 or V4.4.1 or newer.\u003c/p\u003e"
}
],
"value": "Integer underflow in the DHCPv6 sub-option parser in FreeRTOS-Plus-TCP before V4.4.1 and V4.2.6 allows an adjacent network actor to corrupt the device\u0027s IPv6 address assignment, DNS configuration, and lease times, and to cause a denial of service (permanent IP task freeze requiring hardware reset) by sending a single crafted DHCPv6 packet.\n\n\n\n\n\n\n\n\nThe issue is present whenever DHCPv6 is enabled.\n\n\n\n\n\n\n\n\nTo mitigate this issue, users should upgrade to version V4.2.6 or V4.4.1 or newer."
}
],
"impacts": [
{
"capecId": "CAPEC-153",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-153: Input Data Manipulation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-191",
"description": "CWE-191: Integer Underflow (Wrap or Wraparound)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-29T22:13:39.794Z",
"orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"shortName": "AMZN"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/releases/tag/V4.4.1"
},
{
"tags": [
"patch"
],
"url": "https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/releases/tag/V4.2.6"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://aws.amazon.com/security/security-bulletins/2026-022-aws/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/security/advisories/GHSA-wrhm-c99p-2p8g"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Integer Underflow in DHCPv6 Sub-Option Parser in FreeRTOS-Plus-TCP",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"assignerShortName": "AMZN",
"cveId": "CVE-2026-7424",
"datePublished": "2026-04-29T18:51:28.385Z",
"dateReserved": "2026-04-29T14:27:50.756Z",
"dateUpdated": "2026-04-29T22:13:39.794Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7423 (GCVE-0-2026-7423)
Vulnerability from nvd – Published: 2026-04-29 18:36 – Updated: 2026-04-29 19:08
VLAI
Title
Integer Underflow in ICMP Echo Reply Processing in FreeRTOS-Plus-TCP
Summary
Integer underflow in the ICMP and ICMPv6 echo reply handlers in FreeRTOS-Plus-TCP before V4.4.1 and V4.2.6 allows an adjacent network user to cause a denial of service (device crash) when outgoing ping support is enabled, because header sizes are subtracted from a packet length field without validating the field is large enough, resulting in a heap out-of-bounds read of up to approximately 65KB.
To mitigate this issue, users should upgrade to the fixed version when available.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-191 - Integer Underflow (Wrap or Wraparound)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/rel… | patch |
| https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/rel… | patch |
| https://aws.amazon.com/security/security-bulletin… | vendor-advisory |
| https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/sec… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| AWS | FreeRTOS-Plus-TCP |
Affected:
4.0.0 , < 4.2.6
(semver)
Affected: 4.3.0 , < 4.4.1 (semver) Unaffected: 4.2.6 Unaffected: 4.4.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7423",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-29T19:08:03.742434Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-29T19:08:11.602Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/FreeRTOS/FreeRTOS-Plus-TCP",
"defaultStatus": "unaffected",
"product": "FreeRTOS-Plus-TCP",
"vendor": "AWS",
"versions": [
{
"lessThan": "4.2.6",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
},
{
"lessThan": "4.4.1",
"status": "affected",
"version": "4.3.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "4.2.6"
},
{
"status": "unaffected",
"version": "4.4.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eInteger underflow in the ICMP and ICMPv6 echo reply handlers in FreeRTOS-Plus-TCP before V4.4.1 and V4.2.6 allows an adjacent network user to cause a denial of service (device crash) when outgoing ping support is enabled, because header sizes are subtracted from a packet length field without validating the field is large enough, resulting in a heap out-of-bounds read of up to approximately 65KB.\u003c/p\u003e\u003cp\u003eTo mitigate this issue, users should upgrade to the fixed version when available.\u003c/p\u003e"
}
],
"value": "Integer underflow in the ICMP and ICMPv6 echo reply handlers in FreeRTOS-Plus-TCP before V4.4.1 and V4.2.6 allows an adjacent network user to cause a denial of service (device crash) when outgoing ping support is enabled, because header sizes are subtracted from a packet length field without validating the field is large enough, resulting in a heap out-of-bounds read of up to approximately 65KB.\n\n\n\nTo mitigate this issue, users should upgrade to the fixed version when available."
}
],
"impacts": [
{
"capecId": "CAPEC-153",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-153: Input Data Manipulation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "ADJACENT",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-191",
"description": "CWE-191: Integer Underflow (Wrap or Wraparound)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-29T18:50:12.168Z",
"orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"shortName": "AMZN"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/releases/tag/V4.4.1"
},
{
"tags": [
"patch"
],
"url": "https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/releases/tag/V4.2.6"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://aws.amazon.com/security/security-bulletins/2026-021-aws/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/security/advisories/GHSA-7r59-2pgv-9v2r"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Integer Underflow in ICMP Echo Reply Processing in FreeRTOS-Plus-TCP",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"assignerShortName": "AMZN",
"cveId": "CVE-2026-7423",
"datePublished": "2026-04-29T18:36:28.353Z",
"dateReserved": "2026-04-29T14:27:49.474Z",
"dateUpdated": "2026-04-29T19:08:11.602Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7422 (GCVE-0-2026-7422)
Vulnerability from nvd – Published: 2026-04-29 18:35 – Updated: 2026-04-29 19:07
VLAI
Title
MAC Address Validation Bypass in FreeRTOS-Plus-TCP IPv4 and IPv6 Packet Processing
Summary
Insufficient packet validation in FreeRTOS-Plus-TCP before V4.2.6 and V4.4.1 allows an adjacent network actor to bypass all checksum and minimum-size validation by spoofing the Ethernet source MAC address to match one of the device's own registered endpoints, because the loopback detection mechanism skips all input validation for packets whose source MAC matches a local endpoint.
To mitigate this issue, users should upgrade to the fixed version when available.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-290 - Authentication Bypass by Spoofing
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/rel… | patch |
| https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/rel… | patch |
| https://aws.amazon.com/security/security-bulletin… | vendor-advisory |
| https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/sec… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| AWS | FreeRTOS-Plus-TCP |
Affected:
4.0.0 , < 4.2.6
(semver)
Affected: 4.3.0 , < 4.4.1 (semver) Unaffected: 4.2.6 Unaffected: 4.4.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7422",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-29T19:07:24.986831Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-29T19:07:31.899Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/FreeRTOS/FreeRTOS-Plus-TCP",
"defaultStatus": "unaffected",
"product": "FreeRTOS-Plus-TCP",
"vendor": "AWS",
"versions": [
{
"lessThan": "4.2.6",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
},
{
"lessThan": "4.4.1",
"status": "affected",
"version": "4.3.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "4.2.6"
},
{
"status": "unaffected",
"version": "4.4.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eInsufficient packet validation in FreeRTOS-Plus-TCP before V4.2.6 and V4.4.1 allows an adjacent network actor to bypass all checksum and minimum-size validation by spoofing the Ethernet source MAC address to match one of the device\u0027s own registered endpoints, because the loopback detection mechanism skips all input validation for packets whose source MAC matches a local endpoint.\u003c/p\u003e\u003cp\u003eTo mitigate this issue, users should upgrade to the fixed version when available.\u003c/p\u003e"
}
],
"value": "Insufficient packet validation in FreeRTOS-Plus-TCP before V4.2.6 and V4.4.1 allows an adjacent network actor to bypass all checksum and minimum-size validation by spoofing the Ethernet source MAC address to match one of the device\u0027s own registered endpoints, because the loopback detection mechanism skips all input validation for packets whose source MAC matches a local endpoint.\n\n\n\nTo mitigate this issue, users should upgrade to the fixed version when available."
}
],
"impacts": [
{
"capecId": "CAPEC-21",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-21: Exploitation of Trusted Identifiers"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "CWE-290: Authentication Bypass by Spoofing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-29T18:46:49.607Z",
"orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"shortName": "AMZN"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/releases/tag/V4.4.1"
},
{
"tags": [
"patch"
],
"url": "https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/releases/tag/V4.2.6"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://aws.amazon.com/security/security-bulletins/2026-021-aws/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/security/advisories/GHSA-jpw4-6h59-62w9"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "MAC Address Validation Bypass in FreeRTOS-Plus-TCP IPv4 and IPv6 Packet Processing",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"assignerShortName": "AMZN",
"cveId": "CVE-2026-7422",
"datePublished": "2026-04-29T18:35:33.797Z",
"dateReserved": "2026-04-29T14:27:48.592Z",
"dateUpdated": "2026-04-29T19:07:31.899Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-11618 (GCVE-0-2025-11618)
Vulnerability from nvd – Published: 2025-10-10 17:10 – Updated: 2025-10-10 20:31
VLAI
Title
Invalid Pointer Dereference when receiving UDP/IPv6 packets in FreeRTOS-Plus-TCP
Summary
A missing validation check in FreeRTOS-Plus-TCP's UDP/IPv6 packet processing code can lead to an invalid pointer dereference when receiving a UDP/IPv6 packet with an incorrect IP version field in the packet header. This issue only affects applications using IPv6.
We recommend upgrading to the latest version and ensure any forked or derivative code is patched to incorporate the new fixes.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/rel… | patchproduct |
| https://aws.amazon.com/security/security-bulletin… | vendor-advisory |
| https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/sec… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| AWS | FreeRTOS-Plus-TCP |
Affected:
4.0.0 , < 4.3.4
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11618",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-10T20:30:56.422981Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-10T20:31:12.979Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "FreeRTOS-Plus-TCP",
"vendor": "AWS",
"versions": [
{
"lessThan": "4.3.4",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA missing validation check in FreeRTOS-Plus-TCP\u0027s UDP/IPv6 packet processing code can lead to an invalid pointer dereference when receiving a UDP/IPv6 packet with an incorrect IP version field in the packet header.\u0026nbsp;This issue only affects applications using IPv6.\u003c/p\u003e\u003cp\u003eWe recommend upgrading to the latest version and ensure any forked or derivative code is patched to incorporate the new fixes.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "A missing validation check in FreeRTOS-Plus-TCP\u0027s UDP/IPv6 packet processing code can lead to an invalid pointer dereference when receiving a UDP/IPv6 packet with an incorrect IP version field in the packet header.\u00a0This issue only affects applications using IPv6.\n\nWe recommend upgrading to the latest version and ensure any forked or derivative code is patched to incorporate the new fixes."
}
],
"impacts": [
{
"capecId": "CAPEC-153",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-153 Input Data Manipulation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-10T17:33:29.903Z",
"orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"shortName": "AMZN"
},
"references": [
{
"tags": [
"patch",
"product"
],
"url": "https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/releases/tag/V4.3.4"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://aws.amazon.com/security/security-bulletins/AWS-2025-023/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/security/advisories/GHSA-6fh9-mqxj-hmwj"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Invalid Pointer Dereference when receiving UDP/IPv6 packets in FreeRTOS-Plus-TCP",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"assignerShortName": "AMZN",
"cveId": "CVE-2025-11618",
"datePublished": "2025-10-10T17:10:34.267Z",
"dateReserved": "2025-10-10T16:49:25.407Z",
"dateUpdated": "2025-10-10T20:31:12.979Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-11617 (GCVE-0-2025-11617)
Vulnerability from nvd – Published: 2025-10-10 17:10 – Updated: 2025-10-10 19:13
VLAI
Title
Buffer Over-read when receiving IPv6 packets with incorrect payload length in FreeRTOS-Plus-TCP
Summary
A missing validation check in FreeRTOS-Plus-TCP's IPv6 packet processing code can lead to an out-of-bounds read when receiving a IPv6 packet with incorrect payload lengths in the packet header. This issue only affects applications using IPv6.
We recommend users upgrade to the latest version and ensure any forked or derivative code is patched to incorporate the new fixes.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-126 - Buffer Over-read
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/rel… | patchproduct |
| https://aws.amazon.com/security/security-bulletin… | vendor-advisory |
| https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/sec… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| AWS | FreeRTOS-Plus-TCP |
Affected:
4.0.0 , < 4.3.4
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11617",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-10T19:13:40.345838Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-10T19:13:58.741Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "FreeRTOS-Plus-TCP",
"vendor": "AWS",
"versions": [
{
"lessThan": "4.3.4",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA missing validation check in FreeRTOS-Plus-TCP\u0027s IPv6 packet processing code can lead to an out-of-bounds read when receiving a IPv6 packet with incorrect payload lengths in the packet header.\u0026nbsp;This issue only affects applications using IPv6.\u003c/p\u003e\u003cp\u003eWe recommend users upgrade to the latest version and ensure any forked or derivative code is patched to incorporate the new fixes.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "A missing validation check in FreeRTOS-Plus-TCP\u0027s IPv6 packet processing code can lead to an out-of-bounds read when receiving a IPv6 packet with incorrect payload lengths in the packet header.\u00a0This issue only affects applications using IPv6.\n\nWe recommend users upgrade to the latest version and ensure any forked or derivative code is patched to incorporate the new fixes."
}
],
"impacts": [
{
"capecId": "CAPEC-153",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-153 Input Data Manipulation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-126",
"description": "CWE-126: Buffer Over-read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-10T17:28:56.298Z",
"orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"shortName": "AMZN"
},
"references": [
{
"tags": [
"patch",
"product"
],
"url": "https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/releases/tag/V4.3.4"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://aws.amazon.com/security/security-bulletins/AWS-2025-023/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/security/advisories/GHSA-wmjr-wm93-cvv2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Buffer Over-read when receiving IPv6 packets with incorrect payload length in FreeRTOS-Plus-TCP",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"assignerShortName": "AMZN",
"cveId": "CVE-2025-11617",
"datePublished": "2025-10-10T17:10:30.901Z",
"dateReserved": "2025-10-10T16:49:24.367Z",
"dateUpdated": "2025-10-10T19:13:58.741Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-7426 (GCVE-0-2026-7426)
Vulnerability from cvelistv5 – Published: 2026-04-29 18:53 – Updated: 2026-04-29 22:14
VLAI
Title
Out-of-Bounds Write via Unsanitized Prefix Length in Router Advertisement Processing in FreeRTOS-Plus-TCP
Summary
Insufficient validation of the prefix length field in IPv6 Router Advertisement processing in FreeRTOS-Plus-TCP before V4.2.6 and V4.4.1 allows an adjacent network actor to cause memory corruption by sending a crafted Router Advertisement with a prefix length value exceeding the maximum valid length, resulting in a heap buffer overflow. Users processing IPv4 RA only are not impacted.
To mitigate this issue, users should upgrade to the fixed version when available.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/rel… | patch |
| https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/rel… | patch |
| https://aws.amazon.com/security/security-bulletin… | vendor-advisory |
| https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/sec… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| AWS | FreeRTOS-Plus-TCP |
Affected:
4.0.0 , < 4.2.6
(semver)
Affected: 4.3.0 , < 4.4.1 (semver) Unaffected: 4.2.6 Unaffected: 4.4.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7426",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-29T19:33:03.058186Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-29T19:33:24.116Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/FreeRTOS/FreeRTOS-Plus-TCP",
"defaultStatus": "unaffected",
"product": "FreeRTOS-Plus-TCP",
"vendor": "AWS",
"versions": [
{
"lessThan": "4.2.6",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
},
{
"lessThan": "4.4.1",
"status": "affected",
"version": "4.3.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "4.2.6"
},
{
"status": "unaffected",
"version": "4.4.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eInsufficient validation of the prefix length field in IPv6 Router Advertisement processing in FreeRTOS-Plus-TCP before V4.2.6 and V4.4.1 allows an adjacent network actor to cause memory corruption by sending a crafted Router Advertisement with a prefix length value exceeding the maximum valid length, resulting in a heap buffer overflow. Users processing IPv4 RA only are not impacted.\u003c/p\u003e\u003cp\u003eTo mitigate this issue, users should upgrade to the fixed version when available.\u003c/p\u003e"
}
],
"value": "Insufficient validation of the prefix length field in IPv6 Router Advertisement processing in FreeRTOS-Plus-TCP before V4.2.6 and V4.4.1 allows an adjacent network actor to cause memory corruption by sending a crafted Router Advertisement with a prefix length value exceeding the maximum valid length, resulting in a heap buffer overflow. Users processing IPv4 RA only are not impacted.\n\n\n\nTo mitigate this issue, users should upgrade to the fixed version when available."
}
],
"impacts": [
{
"capecId": "CAPEC-153",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-153: Input Data Manipulation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "ADJACENT",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787: Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-29T22:14:34.199Z",
"orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"shortName": "AMZN"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/releases/tag/V4.4.1"
},
{
"tags": [
"patch"
],
"url": "https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/releases/tag/V4.2.6"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://aws.amazon.com/security/security-bulletins/2026-023-aws/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/security/advisories/GHSA-97qg-4359-xm3x"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Out-of-Bounds Write via Unsanitized Prefix Length in Router Advertisement Processing in FreeRTOS-Plus-TCP",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"assignerShortName": "AMZN",
"cveId": "CVE-2026-7426",
"datePublished": "2026-04-29T18:53:52.187Z",
"dateReserved": "2026-04-29T14:27:53.201Z",
"dateUpdated": "2026-04-29T22:14:34.199Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7425 (GCVE-0-2026-7425)
Vulnerability from cvelistv5 – Published: 2026-04-29 18:52 – Updated: 2026-04-29 22:14
VLAI
Title
Out-of-Bounds Read in Router Advertisement Option Parser in FreeRTOS-Plus-TCP
Summary
Insufficient option length validation in the IPv6 Router Advertisement parser in FreeRTOS-Plus-TCP before V4.2.6 and V4.4.1 allows an adjacent network actor to cause a denial of service (device crash) by sending a crafted Router Advertisement with a truncated PREFIX_INFORMATION option that is smaller than the expected structure size.
To mitigate this issue, users should upgrade to the fixed version when available.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/rel… | patch |
| https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/rel… | patch |
| https://aws.amazon.com/security/security-bulletin… | vendor-advisory |
| https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/sec… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| AWS | FreeRTOS-Plus-TCP |
Affected:
4.0.0 , < 4.2.6
(semver)
Affected: 4.3.0 , < 4.4.1 (semver) Unaffected: 4.2.6 Unaffected: 4.4.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7425",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-29T19:32:41.101290Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-29T19:32:50.124Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/FreeRTOS/FreeRTOS-Plus-TCP",
"defaultStatus": "unaffected",
"product": "FreeRTOS-Plus-TCP",
"vendor": "AWS",
"versions": [
{
"lessThan": "4.2.6",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
},
{
"lessThan": "4.4.1",
"status": "affected",
"version": "4.3.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "4.2.6"
},
{
"status": "unaffected",
"version": "4.4.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eInsufficient option length validation in the IPv6 Router Advertisement parser in FreeRTOS-Plus-TCP before V4.2.6 and V4.4.1 allows an adjacent network actor to cause a denial of service (device crash) by sending a crafted Router Advertisement with a truncated PREFIX_INFORMATION option that is smaller than the expected structure size.\u003c/p\u003e\u003cp\u003eTo mitigate this issue, users should upgrade to the fixed version when available.\u003c/p\u003e"
}
],
"value": "Insufficient option length validation in the IPv6 Router Advertisement parser in FreeRTOS-Plus-TCP before V4.2.6 and V4.4.1 allows an adjacent network actor to cause a denial of service (device crash) by sending a crafted Router Advertisement with a truncated PREFIX_INFORMATION option that is smaller than the expected structure size.\n\n\n\nTo mitigate this issue, users should upgrade to the fixed version when available."
}
],
"impacts": [
{
"capecId": "CAPEC-153",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-153: Input Data Manipulation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "ADJACENT",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125: Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-29T22:14:08.753Z",
"orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"shortName": "AMZN"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/releases/tag/V4.4.1"
},
{
"tags": [
"patch"
],
"url": "https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/releases/tag/V4.2.6"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://aws.amazon.com/security/security-bulletins/2026-023-aws/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/security/advisories/GHSA-gffr-xgjg-jh9j"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Out-of-Bounds Read in Router Advertisement Option Parser in FreeRTOS-Plus-TCP",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"assignerShortName": "AMZN",
"cveId": "CVE-2026-7425",
"datePublished": "2026-04-29T18:52:36.439Z",
"dateReserved": "2026-04-29T14:27:51.904Z",
"dateUpdated": "2026-04-29T22:14:08.753Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7424 (GCVE-0-2026-7424)
Vulnerability from cvelistv5 – Published: 2026-04-29 18:51 – Updated: 2026-04-29 22:13
VLAI
Title
Integer Underflow in DHCPv6 Sub-Option Parser in FreeRTOS-Plus-TCP
Summary
Integer underflow in the DHCPv6 sub-option parser in FreeRTOS-Plus-TCP before V4.4.1 and V4.2.6 allows an adjacent network actor to corrupt the device's IPv6 address assignment, DNS configuration, and lease times, and to cause a denial of service (permanent IP task freeze requiring hardware reset) by sending a single crafted DHCPv6 packet.
The issue is present whenever DHCPv6 is enabled.
To mitigate this issue, users should upgrade to version V4.2.6 or V4.4.1 or newer.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-191 - Integer Underflow (Wrap or Wraparound)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/rel… | patch |
| https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/rel… | patch |
| https://aws.amazon.com/security/security-bulletin… | vendor-advisory |
| https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/sec… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| AWS | FreeRTOS-Plus-TCP |
Affected:
4.0.0 , < 4.2.6
(semver)
Affected: 4.3.0 , < 4.4.1 (semver) Unaffected: 4.2.6 Unaffected: 4.4.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7424",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-29T19:08:53.836749Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-29T19:09:03.842Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/FreeRTOS/FreeRTOS-Plus-TCP",
"defaultStatus": "unaffected",
"product": "FreeRTOS-Plus-TCP",
"vendor": "AWS",
"versions": [
{
"lessThan": "4.2.6",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
},
{
"lessThan": "4.4.1",
"status": "affected",
"version": "4.3.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "4.2.6"
},
{
"status": "unaffected",
"version": "4.4.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eInteger underflow in the DHCPv6 sub-option parser in FreeRTOS-Plus-TCP before V4.4.1 and V4.2.6 allows an adjacent network actor to corrupt the device\u0027s IPv6 address assignment, DNS configuration, and lease times, and to cause a denial of service (permanent IP task freeze requiring hardware reset) by sending a single crafted DHCPv6 packet.\u003c/p\u003e\u003cp\u003e\u003cbr\u003e\u003c/p\u003e\u003cp\u003eThe issue is present whenever DHCPv6 is enabled.\u003c/p\u003e\u003cp\u003e\u003cbr\u003e\u003c/p\u003e\u003cp\u003eTo mitigate this issue, users should upgrade to version V4.2.6 or V4.4.1 or newer.\u003c/p\u003e"
}
],
"value": "Integer underflow in the DHCPv6 sub-option parser in FreeRTOS-Plus-TCP before V4.4.1 and V4.2.6 allows an adjacent network actor to corrupt the device\u0027s IPv6 address assignment, DNS configuration, and lease times, and to cause a denial of service (permanent IP task freeze requiring hardware reset) by sending a single crafted DHCPv6 packet.\n\n\n\n\n\n\n\n\nThe issue is present whenever DHCPv6 is enabled.\n\n\n\n\n\n\n\n\nTo mitigate this issue, users should upgrade to version V4.2.6 or V4.4.1 or newer."
}
],
"impacts": [
{
"capecId": "CAPEC-153",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-153: Input Data Manipulation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-191",
"description": "CWE-191: Integer Underflow (Wrap or Wraparound)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-29T22:13:39.794Z",
"orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"shortName": "AMZN"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/releases/tag/V4.4.1"
},
{
"tags": [
"patch"
],
"url": "https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/releases/tag/V4.2.6"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://aws.amazon.com/security/security-bulletins/2026-022-aws/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/security/advisories/GHSA-wrhm-c99p-2p8g"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Integer Underflow in DHCPv6 Sub-Option Parser in FreeRTOS-Plus-TCP",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"assignerShortName": "AMZN",
"cveId": "CVE-2026-7424",
"datePublished": "2026-04-29T18:51:28.385Z",
"dateReserved": "2026-04-29T14:27:50.756Z",
"dateUpdated": "2026-04-29T22:13:39.794Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7423 (GCVE-0-2026-7423)
Vulnerability from cvelistv5 – Published: 2026-04-29 18:36 – Updated: 2026-04-29 19:08
VLAI
Title
Integer Underflow in ICMP Echo Reply Processing in FreeRTOS-Plus-TCP
Summary
Integer underflow in the ICMP and ICMPv6 echo reply handlers in FreeRTOS-Plus-TCP before V4.4.1 and V4.2.6 allows an adjacent network user to cause a denial of service (device crash) when outgoing ping support is enabled, because header sizes are subtracted from a packet length field without validating the field is large enough, resulting in a heap out-of-bounds read of up to approximately 65KB.
To mitigate this issue, users should upgrade to the fixed version when available.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-191 - Integer Underflow (Wrap or Wraparound)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/rel… | patch |
| https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/rel… | patch |
| https://aws.amazon.com/security/security-bulletin… | vendor-advisory |
| https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/sec… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| AWS | FreeRTOS-Plus-TCP |
Affected:
4.0.0 , < 4.2.6
(semver)
Affected: 4.3.0 , < 4.4.1 (semver) Unaffected: 4.2.6 Unaffected: 4.4.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7423",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-29T19:08:03.742434Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-29T19:08:11.602Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/FreeRTOS/FreeRTOS-Plus-TCP",
"defaultStatus": "unaffected",
"product": "FreeRTOS-Plus-TCP",
"vendor": "AWS",
"versions": [
{
"lessThan": "4.2.6",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
},
{
"lessThan": "4.4.1",
"status": "affected",
"version": "4.3.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "4.2.6"
},
{
"status": "unaffected",
"version": "4.4.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eInteger underflow in the ICMP and ICMPv6 echo reply handlers in FreeRTOS-Plus-TCP before V4.4.1 and V4.2.6 allows an adjacent network user to cause a denial of service (device crash) when outgoing ping support is enabled, because header sizes are subtracted from a packet length field without validating the field is large enough, resulting in a heap out-of-bounds read of up to approximately 65KB.\u003c/p\u003e\u003cp\u003eTo mitigate this issue, users should upgrade to the fixed version when available.\u003c/p\u003e"
}
],
"value": "Integer underflow in the ICMP and ICMPv6 echo reply handlers in FreeRTOS-Plus-TCP before V4.4.1 and V4.2.6 allows an adjacent network user to cause a denial of service (device crash) when outgoing ping support is enabled, because header sizes are subtracted from a packet length field without validating the field is large enough, resulting in a heap out-of-bounds read of up to approximately 65KB.\n\n\n\nTo mitigate this issue, users should upgrade to the fixed version when available."
}
],
"impacts": [
{
"capecId": "CAPEC-153",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-153: Input Data Manipulation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "ADJACENT",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-191",
"description": "CWE-191: Integer Underflow (Wrap or Wraparound)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-29T18:50:12.168Z",
"orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"shortName": "AMZN"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/releases/tag/V4.4.1"
},
{
"tags": [
"patch"
],
"url": "https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/releases/tag/V4.2.6"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://aws.amazon.com/security/security-bulletins/2026-021-aws/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/security/advisories/GHSA-7r59-2pgv-9v2r"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Integer Underflow in ICMP Echo Reply Processing in FreeRTOS-Plus-TCP",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"assignerShortName": "AMZN",
"cveId": "CVE-2026-7423",
"datePublished": "2026-04-29T18:36:28.353Z",
"dateReserved": "2026-04-29T14:27:49.474Z",
"dateUpdated": "2026-04-29T19:08:11.602Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7422 (GCVE-0-2026-7422)
Vulnerability from cvelistv5 – Published: 2026-04-29 18:35 – Updated: 2026-04-29 19:07
VLAI
Title
MAC Address Validation Bypass in FreeRTOS-Plus-TCP IPv4 and IPv6 Packet Processing
Summary
Insufficient packet validation in FreeRTOS-Plus-TCP before V4.2.6 and V4.4.1 allows an adjacent network actor to bypass all checksum and minimum-size validation by spoofing the Ethernet source MAC address to match one of the device's own registered endpoints, because the loopback detection mechanism skips all input validation for packets whose source MAC matches a local endpoint.
To mitigate this issue, users should upgrade to the fixed version when available.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-290 - Authentication Bypass by Spoofing
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/rel… | patch |
| https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/rel… | patch |
| https://aws.amazon.com/security/security-bulletin… | vendor-advisory |
| https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/sec… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| AWS | FreeRTOS-Plus-TCP |
Affected:
4.0.0 , < 4.2.6
(semver)
Affected: 4.3.0 , < 4.4.1 (semver) Unaffected: 4.2.6 Unaffected: 4.4.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7422",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-29T19:07:24.986831Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-29T19:07:31.899Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/FreeRTOS/FreeRTOS-Plus-TCP",
"defaultStatus": "unaffected",
"product": "FreeRTOS-Plus-TCP",
"vendor": "AWS",
"versions": [
{
"lessThan": "4.2.6",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
},
{
"lessThan": "4.4.1",
"status": "affected",
"version": "4.3.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "4.2.6"
},
{
"status": "unaffected",
"version": "4.4.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eInsufficient packet validation in FreeRTOS-Plus-TCP before V4.2.6 and V4.4.1 allows an adjacent network actor to bypass all checksum and minimum-size validation by spoofing the Ethernet source MAC address to match one of the device\u0027s own registered endpoints, because the loopback detection mechanism skips all input validation for packets whose source MAC matches a local endpoint.\u003c/p\u003e\u003cp\u003eTo mitigate this issue, users should upgrade to the fixed version when available.\u003c/p\u003e"
}
],
"value": "Insufficient packet validation in FreeRTOS-Plus-TCP before V4.2.6 and V4.4.1 allows an adjacent network actor to bypass all checksum and minimum-size validation by spoofing the Ethernet source MAC address to match one of the device\u0027s own registered endpoints, because the loopback detection mechanism skips all input validation for packets whose source MAC matches a local endpoint.\n\n\n\nTo mitigate this issue, users should upgrade to the fixed version when available."
}
],
"impacts": [
{
"capecId": "CAPEC-21",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-21: Exploitation of Trusted Identifiers"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "CWE-290: Authentication Bypass by Spoofing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-29T18:46:49.607Z",
"orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"shortName": "AMZN"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/releases/tag/V4.4.1"
},
{
"tags": [
"patch"
],
"url": "https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/releases/tag/V4.2.6"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://aws.amazon.com/security/security-bulletins/2026-021-aws/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/security/advisories/GHSA-jpw4-6h59-62w9"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "MAC Address Validation Bypass in FreeRTOS-Plus-TCP IPv4 and IPv6 Packet Processing",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"assignerShortName": "AMZN",
"cveId": "CVE-2026-7422",
"datePublished": "2026-04-29T18:35:33.797Z",
"dateReserved": "2026-04-29T14:27:48.592Z",
"dateUpdated": "2026-04-29T19:07:31.899Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-11618 (GCVE-0-2025-11618)
Vulnerability from cvelistv5 – Published: 2025-10-10 17:10 – Updated: 2025-10-10 20:31
VLAI
Title
Invalid Pointer Dereference when receiving UDP/IPv6 packets in FreeRTOS-Plus-TCP
Summary
A missing validation check in FreeRTOS-Plus-TCP's UDP/IPv6 packet processing code can lead to an invalid pointer dereference when receiving a UDP/IPv6 packet with an incorrect IP version field in the packet header. This issue only affects applications using IPv6.
We recommend upgrading to the latest version and ensure any forked or derivative code is patched to incorporate the new fixes.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/rel… | patchproduct |
| https://aws.amazon.com/security/security-bulletin… | vendor-advisory |
| https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/sec… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| AWS | FreeRTOS-Plus-TCP |
Affected:
4.0.0 , < 4.3.4
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11618",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-10T20:30:56.422981Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-10T20:31:12.979Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "FreeRTOS-Plus-TCP",
"vendor": "AWS",
"versions": [
{
"lessThan": "4.3.4",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA missing validation check in FreeRTOS-Plus-TCP\u0027s UDP/IPv6 packet processing code can lead to an invalid pointer dereference when receiving a UDP/IPv6 packet with an incorrect IP version field in the packet header.\u0026nbsp;This issue only affects applications using IPv6.\u003c/p\u003e\u003cp\u003eWe recommend upgrading to the latest version and ensure any forked or derivative code is patched to incorporate the new fixes.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "A missing validation check in FreeRTOS-Plus-TCP\u0027s UDP/IPv6 packet processing code can lead to an invalid pointer dereference when receiving a UDP/IPv6 packet with an incorrect IP version field in the packet header.\u00a0This issue only affects applications using IPv6.\n\nWe recommend upgrading to the latest version and ensure any forked or derivative code is patched to incorporate the new fixes."
}
],
"impacts": [
{
"capecId": "CAPEC-153",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-153 Input Data Manipulation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-10T17:33:29.903Z",
"orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"shortName": "AMZN"
},
"references": [
{
"tags": [
"patch",
"product"
],
"url": "https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/releases/tag/V4.3.4"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://aws.amazon.com/security/security-bulletins/AWS-2025-023/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/security/advisories/GHSA-6fh9-mqxj-hmwj"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Invalid Pointer Dereference when receiving UDP/IPv6 packets in FreeRTOS-Plus-TCP",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"assignerShortName": "AMZN",
"cveId": "CVE-2025-11618",
"datePublished": "2025-10-10T17:10:34.267Z",
"dateReserved": "2025-10-10T16:49:25.407Z",
"dateUpdated": "2025-10-10T20:31:12.979Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-11617 (GCVE-0-2025-11617)
Vulnerability from cvelistv5 – Published: 2025-10-10 17:10 – Updated: 2025-10-10 19:13
VLAI
Title
Buffer Over-read when receiving IPv6 packets with incorrect payload length in FreeRTOS-Plus-TCP
Summary
A missing validation check in FreeRTOS-Plus-TCP's IPv6 packet processing code can lead to an out-of-bounds read when receiving a IPv6 packet with incorrect payload lengths in the packet header. This issue only affects applications using IPv6.
We recommend users upgrade to the latest version and ensure any forked or derivative code is patched to incorporate the new fixes.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-126 - Buffer Over-read
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/rel… | patchproduct |
| https://aws.amazon.com/security/security-bulletin… | vendor-advisory |
| https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/sec… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| AWS | FreeRTOS-Plus-TCP |
Affected:
4.0.0 , < 4.3.4
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11617",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-10T19:13:40.345838Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-10T19:13:58.741Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "FreeRTOS-Plus-TCP",
"vendor": "AWS",
"versions": [
{
"lessThan": "4.3.4",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA missing validation check in FreeRTOS-Plus-TCP\u0027s IPv6 packet processing code can lead to an out-of-bounds read when receiving a IPv6 packet with incorrect payload lengths in the packet header.\u0026nbsp;This issue only affects applications using IPv6.\u003c/p\u003e\u003cp\u003eWe recommend users upgrade to the latest version and ensure any forked or derivative code is patched to incorporate the new fixes.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "A missing validation check in FreeRTOS-Plus-TCP\u0027s IPv6 packet processing code can lead to an out-of-bounds read when receiving a IPv6 packet with incorrect payload lengths in the packet header.\u00a0This issue only affects applications using IPv6.\n\nWe recommend users upgrade to the latest version and ensure any forked or derivative code is patched to incorporate the new fixes."
}
],
"impacts": [
{
"capecId": "CAPEC-153",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-153 Input Data Manipulation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-126",
"description": "CWE-126: Buffer Over-read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-10T17:28:56.298Z",
"orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"shortName": "AMZN"
},
"references": [
{
"tags": [
"patch",
"product"
],
"url": "https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/releases/tag/V4.3.4"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://aws.amazon.com/security/security-bulletins/AWS-2025-023/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/security/advisories/GHSA-wmjr-wm93-cvv2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Buffer Over-read when receiving IPv6 packets with incorrect payload length in FreeRTOS-Plus-TCP",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"assignerShortName": "AMZN",
"cveId": "CVE-2025-11617",
"datePublished": "2025-10-10T17:10:30.901Z",
"dateReserved": "2025-10-10T16:49:24.367Z",
"dateUpdated": "2025-10-10T19:13:58.741Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}