UDP/IPv6 Invalid Pointer Dereference in FreeRTOS-Plus-TCP from Amazon
CVE-2025-11618

5.3MEDIUM

Key Information:

Vendor

Aws

Status
Freertos-plus-tcp
Vendor
CVE Published:
10 October 2025

What is CVE-2025-11618?

A vulnerability in FreeRTOS-Plus-TCP's code for processing UDP/IPv6 packets results from a missing validation check. When an application receives a UDP/IPv6 packet with an incorrect IP version field in the packet header, it may lead to an invalid pointer dereference. This issue poses risks specifically for applications utilizing IPv6. Users are advised to upgrade to the latest version and apply necessary patches to any derived code to mitigate this risk.

Affected Version(s)

FreeRTOS-Plus-TCP 4.0.0 < 4.3.4

References

https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/releases/ta...
patchproduct
https://aws.amazon.com/security/security-bulletins/AWS-20...
vendor-advisory
https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/security/ad...
third-party-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-11618 : UDP/IPv6 Invalid Pointer Dereference in FreeRTOS-Plus-TCP from Amazon