CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-7423

unknowncovered by 1 sourcefirst seen 2026-06-05
Bulletin ID: 2026-021-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 2026/04/29 12:00 PM PDT Description: FreeRTOS-Plus-TCP is a scalable, open source, and thread-safe TCP/IP stack for FreeRTOS. - CVE-2026-7422: Insufficient packet validation in the IPv4 and IPv6 receive paths allows an adjacent network device to send a packet that bypasses checksum and minimum-size validation by spoofing the Ethernet source MAC address to match one of the target device's own registered endpoints. - CVE-2026-7423: Integer underflow in the ICMP and ICMPv6 echo reply handlers allows an adjacent network device to cause a denial of service (device crash) when outgoing ping support is enabled, because header sizes are subtracted from a packet length field without validating the field is large enough, resulting in a heap out-of-bounds read. Impacted versions: >=V4.0.0 AND <=V4.2.5, >=V4.3.0 AND <=V4.4.0 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.

CSIRTS triage

What
Insufficient packet validation and integer underflow issues could allow for MAC address validation bypass and denial of service.
Who is affected
Users of FreeRTOS-Plus-TCP within the specified version range.
Urgency
Remediation is urgent due to the potential for denial of service and privilege escalation.
Action
Upgrade to a version outside the specified range.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch CVE-2026-7423

Get an email if CVE-2026-7423 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-7423

CVE.org record

Embed the live status

CVE-2026-7423 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-7423 status](https://www.csirts.com/badge/CVE-2026-7423)](https://www.csirts.com/cve/CVE-2026-7423)