Use After Free Vulnerability in Apache NuttX RTOS
CVE-2025-48769

5.3MEDIUM

Key Information:

Vendor: Apache
Status: Apache Nuttx Rtos
Vendor: CVE Published:; 1 January 2026

What is CVE-2025-48769?

A Use After Free vulnerability has been identified in the Apache NuttX RTOS, specifically within the fs/vfs/fs_rename code. This vulnerability arises from a recursive implementation that utilizes a single buffer with two different pointer variables, allowing for arbitrary user-provided size buffer reallocation. Consequently, this mismanagement can lead to unintended results during virtual filesystem rename or move operations when the free heap chunk is accessed. Users, especially those operating virtual filesystem services with write access over network interfaces like FTP, are advised to upgrade to version 12.11.0, which addresses this critical issue.

Affected Version(s)

Apache NuttX RTOS 7.20 < 12.11.0

References

https://github.com/apache/nuttx/pull/16455

patch

https://lists.apache.org/thread/7m83v11ldfq7bvw72n9t5scco...

vendor-advisory

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 1, 2026
Vulnerability Reserved
May 26, 2025

Credit

Liu, Richard Jiayang <rjliu3@illinois.edu>

Tomek CEDRO <cederom@apache.org>

Xiang Xiao <xiaoxiang@apache.org>

Jiuzhu Dong <jiuzhudong@apache.org>

JSON