Buffer Overflow Vulnerability in FreeRTOS-Plus-TCP by Amazon Web Services
CVE-2026-7426

6.1MEDIUM

Key Information:

Vendor

Aws

Status
Freertos-plus-tcp
Vendor
CVE Published:
29 April 2026

What is CVE-2026-7426?

A buffer overflow vulnerability exists in FreeRTOS-Plus-TCP due to inadequate validation of the prefix length field during IPv6 Router Advertisement processing. This flaw allows an adjacent network actor to exploit the system by sending a malicious Router Advertisement containing a prefix length value that exceeds the maximum permissible limit. As a result, this can lead to memory corruption, posing a significant risk to system integrity. Users who rely solely on IPv4 Router Advertisements are not affected by this vulnerability. To prevent exploitation, it is crucial for users to upgrade to the patched versions, V4.2.6 or V4.4.1, as soon as they become available.

Affected Version(s)

FreeRTOS-Plus-TCP 4.0.0 < 4.2.6

FreeRTOS-Plus-TCP 4.3.0 < 4.4.1

FreeRTOS-Plus-TCP 4.2.6

References

https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/releases/ta...
patch
https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/releases/ta...
patch
https://aws.amazon.com/security/security-bulletins/2026-0...
vendor-advisory

CVSS V4

Score:
6.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.