CVE-2025-11618
BaseFortify
Publication date: 2025-10-10
Last updated on: 2025-10-31
Assigner: AMZN
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| amazon | freertos-plus-tcp | From 4.0.0 (inc) to 4.3.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an invalid pointer dereference in FreeRTOS-Plus-TCP's UDP/IPv6 packet processing code. It occurs when the software receives a UDP/IPv6 packet with an incorrect IP version field in the packet header. Because of missing validation checks, this can cause the system to dereference a NULL or invalid pointer, potentially leading to a crash or exit. This issue only affects applications using IPv6 and was fixed in version 4.3.4. [2, 1]
How can this vulnerability impact me? :
The vulnerability can cause the affected application to crash or exit unexpectedly due to dereferencing a NULL pointer when processing malformed UDP/IPv6 packets. This results in a denial of service or loss of availability for the affected system. There is no impact on confidentiality or integrity. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves processing UDP/IPv6 packets with an incorrect IP version field leading to invalid pointer dereference. Detection would involve monitoring for crashes or abnormal exits of FreeRTOS-Plus-TCP network stack when handling IPv6 UDP packets. Since the issue arises from malformed IPv6 packets with incorrect IP version fields, network packet capture tools (e.g., tcpdump or Wireshark) can be used to inspect incoming UDP/IPv6 packets for invalid IP version fields. However, no specific detection commands or signatures are provided in the resources. Therefore, detection primarily relies on monitoring system stability and analyzing network traffic for malformed IPv6 UDP packets. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade FreeRTOS-Plus-TCP to version 4.3.4 or later, where this vulnerability has been fixed by adding appropriate validation checks. If using forked or derivative code, ensure that patches incorporating these fixes are applied. No workarounds are available, so upgrading is the recommended action to prevent crashes caused by this vulnerability. [1, 2]