CVE-2025-48768
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-01

Last updated on: 2026-01-06

Assigner: Apache Software Foundation

Description
Release of Invalid Pointer or Reference vulnerability was discovered in fs/inode/fs_inoderemove code of the Apache NuttX RTOS that allowed root filesystem inode removal leading to a debug assert trigger (that is disabled by default), NULL pointer dereference (handled differently depending on the target architecture), or in general, a Denial of Service. This issue affects Apache NuttX RTOS: from 10.0.0 before 12.10.0. Users of filesystem based services with write access that were exposed over the network (i.e. FTP) are affected and recommended to upgrade to version 12.10.0 that fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-01
Last Modified
2026-01-06
Generated
2026-05-27
AI Q&A
2026-01-01
EPSS Evaluated
2026-05-25
NVD
CVE-2025-48768
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apache nuttx From 10.0.0 (inc) to 12.10.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-763 The product attempts to return a memory resource to the system, but it calls the wrong release function or calls the appropriate release function incorrectly.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a flaw in the Apache NuttX RTOS filesystem inode removal code (fs/inode/fs_inoderemove) where an invalid pointer or reference is released during root filesystem inode removal. This can cause a debug assertion failure (disabled by default), a NULL pointer dereference (with effects varying by architecture), or generally lead to a Denial of Service (DoS). It happens because the code attempts to remove an inode even when it has no parent inode, which is invalid and causes system instability. [2, 3]


How can this vulnerability impact me? :

If you use filesystem-based services with write access exposed over the network (such as FTP servers) on affected versions of Apache NuttX RTOS (from 10.0.0 before 12.10.0), this vulnerability can cause your system to crash or become unavailable due to Denial of Service triggered by invalid inode removal operations. This can disrupt service availability and system stability. [2]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability affects Apache NuttX RTOS versions from 10.0.0 before 12.10.0, specifically in the filesystem inode removal code. Detection involves identifying if your system is running a vulnerable version of Apache NuttX RTOS and if filesystem-based services with write access (such as FTP) are exposed over the network. There are no specific commands provided in the resources to detect exploitation attempts or the vulnerability itself. However, monitoring for crashes or Denial of Service symptoms related to inode removal operations might help. For precise detection, checking the version of Apache NuttX RTOS installed on your system is recommended. [2, 3]


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade Apache NuttX RTOS to version 12.10.0 or later, where the vulnerability has been fixed. This update includes a patch that prevents invalid inode removal operations by detecting inodes without parents and returning an error instead of proceeding. Additionally, restricting or disabling filesystem-based services with write access exposed over the network (such as FTP) until the upgrade can reduce exposure. [2, 3]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart