CVE-2026-7423

EUVD-2026-26276

29.04.2026, 19:16

Integer underflow in the ICMP and ICMPv6 echo reply handlers in FreeRTOS-Plus-TCP before V4.4.1 and V4.2.6 allows an adjacent network user to cause a denial of service (device crash) when outgoing ping support is enabled, because header sizes are subtracted from a packet length field without validating the field is large enough, resulting in a heap out-of-bounds read of up to approximately 65KB.



To mitigate this issue, users should upgrade to the fixed version when available.

Wrap or Wraparound

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.3 MEDIUM	ADJACENT_NETWORK	HIGH	NONE	CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 6%

Affected Products (NVD)

Vendor	Product	Version
amazon	freertos-plus-tcp	4.0.0 ≤ 𝑥 < 4.2.6
amazon	freertos-plus-tcp	4.3.0 ≤ 𝑥 < 4.4.1

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-191 - Integer Underflow (Wrap or Wraparound)
The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.

References

https://aws.amazon.com/security/security-bulletins/2026-021-aws/

https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/releases/tag/V4.2.6

https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/releases/tag/V4.4.1

https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/security/advisories/GHSA-7r59-2pgv-9v2r