Denial of Service Vulnerability in Apache NuttX RTOS Affecting File Systems
CVE-2025-48768

5.3MEDIUM

Key Information:

Vendor: Apache
Status: Apache Nuttx Rtos
Vendor: CVE Published:; 1 January 2026

What is CVE-2025-48768?

A vulnerability exists in the Apache NuttX RTOS within the fs/inode/fs_inoderemove code, which can lead to the removal of root filesystem inodes. This issue can trigger a debug assert that is turned off by default or cause a NULL pointer dereference. The impact varies with the target architecture and can potentially result in a denial of service, particularly affecting users with filesystem based services who have write access exposed over the network, such as FTP. Users are strongly advised to upgrade to version 12.10.0 to mitigate this vulnerability.

Affected Version(s)

Apache NuttX RTOS 10.0.0 < 12.10.0

References

https://github.com/apache/nuttx/pull/16437

patch

https://lists.apache.org/thread/nwo1kd08b7t3dyz082q2pghdx...

vendor-advisory

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 1, 2026
Vulnerability Reserved
May 26, 2025

Credit

Liu, Richard Jiayang <rjliu3@illinois.edu>

Alan Carvalho de Assis <acassis@apache.org>

Tomek CEDRO <cederom@apache.org>

Xiang Xiao <xiaoxiang@apache.org>

Jiuzhu Dong <jiuzhudong@apache.org>

JSON