CVE-2026-7425
Bulletin ID: 2026-023-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 2026/04/29 12:30 PM PDT Description: FreeRTOS-Plus-TCP is an open source TCP/IP stack implementation designed for FreeRTOS, providing a standard Berkeley sockets interface and support for essential networking protocols including IPv6, ARP, DHCP, DNS, and Router Advertisement (RA). We identified CVE-2026-7425 and CVE-2026-7426, one of them being out-of-bounds read and another one being out-of-bounds write issues respectively in the IPv6 Router Advertisement option parser where insufficient validation of length fields allows memory operations without proper bounds checking. Either issue can be exploited by any device on the local network that can send crafted Router Advertisement packets. No authentication or user interaction is required. Impacted versions: >=V4.0.0 AND <=V4.2.5, >=V4.3.0 AND <=V4.4.0 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.
CSIRTS triage
- What
- Out-of-bounds read and write issues in the IPv6 Router Advertisement option parser.
- Who is affected
- Devices on the local network using FreeRTOS-Plus-TCP within the specified version range.
- Urgency
- Remediation is important due to the potential for memory corruption exploits.
- Action
- Update to a version of FreeRTOS-Plus-TCP outside the affected range.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch CVE-2026-7425
Get an email if CVE-2026-7425 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.
Exploitation outlook
- Low exploitation risk0.23% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 14% of all EPSS-scored CVEs.
Advisory coverage (1)
- unknownIssue with FreeRTOS-Plus-TCP - IPv6 Router Advertisement Memory Safety Issuesaws · 2026-06-05
External references
Embed the live status
— this badge updates automatically when the KEV or exploit status changes. How to embed it →
[](https://www.csirts.com/cve/CVE-2026-7425)