Description
Integer underflow in the ICMP and ICMPv6 echo reply handlers in FreeRTOS-Plus-TCP before V4.4.1 and V4.2.6 allows an adjacent network user to cause a denial of service (device crash) when outgoing ping support is enabled, because header sizes are subtracted from a packet length field without validating the field is large enough, resulting in a heap out-of-bounds read of up to approximately 65KB.



To mitigate this issue, users should upgrade to the fixed version when available.
Published: 2026-04-29
Score: 6 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An integer underflow in the ICMP and ICMPv6 echo reply handlers of FreeRTOS-Plus-TCP causes a heap out‑of‑bounds read when a packet length field is reduced by the header size without checking for validity. The resulting memory corruption can crash the device, interrupting normal operation and leading to a denial‑of‑service condition for applications relying on the TCP/IP stack.

Affected Systems

AWS managed FreeRTOS-Plus-TCP deployments using version 4.4.0 or earlier, and any release processed under the V4.2.6 branch before the fix was applied, are vulnerable. Systems that rely on the FreeRTOS-Plus-TCP stack and allow outgoing ping responses are at risk.

Risk and Exploitability

The vulnerability carries a CVSS score of 6, indicating moderate severity. The EPSS score is not available, so the current exploitation probability cannot be quantified. The issue is not listed in the CISA KEV catalog. Attacks can be launched by an adjacent network user who sends crafted ICMP or ICMPv6 packets to trigger the underflow, which then causes the device to crash. Because the flaw is in the packet processing path, it can be triggered remotely from the network.

Generated by OpenCVE AI on April 29, 2026 at 21:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FreeRTOS-Plus‑TCP to a fixed release such as 4.4.1 or later, or apply the patch from release V4.2.6 if using that branch
  • If an upgrade is not immediately possible, disable the outgoing ICMP echo reply functionality in the FreeRTOS configuration to prevent the flaw from being exercised
  • After applying a fix or disabling the feature, monitor system logs for repeated crashes or abnormal memory access errors to verify the mitigation has succeeded

Generated by OpenCVE AI on April 29, 2026 at 21:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 29 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Description Integer underflow in the ICMP and ICMPv6 echo reply handlers in FreeRTOS-Plus-TCP before V4.4.1 and V4.2.6 allows an adjacent network user to cause a denial of service (device crash) when outgoing ping support is enabled, because header sizes are subtracted from a packet length field without validating the field is large enough, resulting in a heap out-of-bounds read of up to approximately 65KB. To mitigate this issue, users should upgrade to the fixed version when available.
Title Integer Underflow in ICMP Echo Reply Processing in FreeRTOS-Plus-TCP
Weaknesses CWE-191
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: AMZN

Published:

Updated: 2026-04-29T19:08:11.602Z

Reserved: 2026-04-29T14:27:49.474Z

Link: CVE-2026-7423

cve-icon Vulnrichment

Updated: 2026-04-29T19:08:07.142Z

cve-icon NVD

Status : Received

Published: 2026-04-29T19:16:26.617

Modified: 2026-04-29T19:16:26.617

Link: CVE-2026-7423

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T21:15:16Z

Weaknesses