Description
Insufficient validation of the prefix length field in IPv6 Router Advertisement processing in FreeRTOS-Plus-TCP before V4.2.6 and V4.4.1 allows an adjacent network actor to cause memory corruption by sending a crafted Router Advertisement with a prefix length value exceeding the maximum valid length, resulting in a heap buffer overflow. Users processing IPv4 RA only are not impacted.



To mitigate this issue, users should upgrade to the fixed version when available.
Published: 2026-04-29
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An out‑of‑bounds write occurs during IPv6 Router Advertisement processing when the prefix length field is not validated. An adjacent network actor can send a crafted RA packet with a prefix length exceeding the maximum allowed value, causing a heap buffer overflow and memory corruption on the device, potentially enabling arbitrary code execution.

Affected Systems

The flaw affects AWS FreeRTOS‑Plus‑TCP implementations before version 4.2.6 and 4.4.1. Users that only process IPv4 Router Advertisements are not impacted.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity, and the exploit probability is not available. The vulnerability is not listed in the CISA KEV catalog. The most likely attack vector involves an adjacent or local network actor that can inject a malicious RA packet to trigger the buffer overflow.

Generated by OpenCVE AI on April 29, 2026 at 21:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to FreeRTOS‑Plus‑TCP version 4.2.6 or later, which includes the fix for the prefix length validation issue.
  • If upgrading is not immediately feasible, disable IPv6 Router Advertisement processing or restrict it to trusted interfaces.
  • Monitor network traffic for anomalous Router Advertisement messages and block any packets with invalid prefix lengths.

Generated by OpenCVE AI on April 29, 2026 at 21:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 30 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Amazon
Amazon freertos-plus-tcp
Vendors & Products Amazon
Amazon freertos-plus-tcp

Wed, 29 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
References

Wed, 29 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 29 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Description Insufficient validation of the prefix length field in IPv6 Router Advertisement processing in FreeRTOS-Plus-TCP before V4.2.6 and V4.4.1 allows an adjacent network actor to cause memory corruption by sending a crafted Router Advertisement with a prefix length value exceeding the maximum valid length, resulting in a heap buffer overflow. Users processing IPv4 RA only are not impacted. To mitigate this issue, users should upgrade to the fixed version when available.
Title Out-of-Bounds Write via Unsanitized Prefix Length in Router Advertisement Processing in FreeRTOS-Plus-TCP
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}

cvssV4_0

{'score': 6.1, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Amazon Freertos-plus-tcp
cve-icon MITRE

Status: PUBLISHED

Assigner: AMZN

Published:

Updated: 2026-04-29T22:14:34.199Z

Reserved: 2026-04-29T14:27:53.201Z

Link: CVE-2026-7426

cve-icon Vulnrichment

Updated: 2026-04-29T19:33:08.227Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-29T20:16:32.143

Modified: 2026-04-30T15:13:14.230

Link: CVE-2026-7426

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T08:15:31Z

Weaknesses