CVE-2026-7423
Received Received - Intake
Integer Underflow in FreeRTOS-Plus-TCP Echo Reply Handlers

Publication date: 2026-04-29

Last updated on: 2026-05-04

Assigner: AMZN

Description
Integer underflow in the ICMP and ICMPv6 echo reply handlers in FreeRTOS-Plus-TCP before V4.4.1 and V4.2.6 allows an adjacent network user to cause a denial of service (device crash) when outgoing ping support is enabled, because header sizes are subtracted from a packet length field without validating the field is large enough, resulting in a heap out-of-bounds read of up to approximately 65KB. To mitigate this issue, users should upgrade to the fixed version when available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-29
Last Modified
2026-05-04
Generated
2026-06-16
AI Q&A
2026-04-30
EPSS Evaluated
2026-06-15
NVD
CVE-2026-7423
EUVD
EUVD-2026-26276
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
amazon freertos-plus-tcp From 4.0.0 (inc) to 4.2.6 (exc)
amazon freertos-plus-tcp From 4.3.0 (inc) to 4.4.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-191 The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-7423 is an integer underflow vulnerability in the ICMP and ICMPv6 echo reply handlers of FreeRTOS-Plus-TCP versions before V4.4.1 and V4.2.6. This occurs when the outgoing ping support is enabled, and the code subtracts header sizes from a packet length field without verifying that the field is large enough. If the packet length is smaller than the header size, an underflow happens, causing the system to read beyond the allocated heap buffer by up to approximately 65KB.

This vulnerability can be triggered by an adjacent network user sending specially crafted packets, leading to a heap out-of-bounds read and potentially causing the device to crash.

The issue has been fixed in FreeRTOS-Plus-TCP versions V4.4.1 and V4.2.6. Mitigation can also be achieved by disabling the outgoing ping support feature.

Executive Summary

This vulnerability is an integer underflow in the ICMP and ICMPv6 echo reply handlers in FreeRTOS-Plus-TCP versions before V4.4.1 and V4.2.6.

It occurs because header sizes are subtracted from a packet length field without checking if the field is large enough, which leads to a heap out-of-bounds read of up to approximately 65KB.

An adjacent network user can exploit this issue to cause a denial of service by crashing the device when outgoing ping support is enabled.

Impact Analysis

This vulnerability can cause a denial of service by crashing the affected device.

An attacker on an adjacent network can exploit this issue to trigger a device crash, potentially disrupting network operations or device availability.

Mitigation Strategies

To mitigate this issue, users should upgrade to the fixed version of FreeRTOS-Plus-TCP, specifically version V4.4.1 or V4.2.6 or later.

Compliance Impact

The vulnerability primarily causes a denial of service (device crash) due to an integer underflow in the ICMP and ICMPv6 echo reply handlers when outgoing ping support is enabled.

There is no information provided in the available context or resources about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability involves an integer underflow in the ICMP and ICMPv6 echo reply handlers when outgoing ping support is enabled in FreeRTOS-Plus-TCP. Detection would involve monitoring for abnormal device crashes or denial of service conditions triggered by crafted ICMP echo reply packets.

Since the issue arises when the ipconfigSUPPORT_OUTGOING_PINGS setting is enabled, one detection approach is to verify if this setting is active in your FreeRTOS configuration.

Network detection could include capturing and analyzing ICMP and ICMPv6 echo reply packets for suspiciously small packet length fields that could trigger the underflow.

However, no specific detection commands or tools are provided in the available resources.

Impact Analysis

This vulnerability primarily impacts the availability of affected devices by causing a denial of service (DoS) condition.

An attacker on an adjacent network can exploit this flaw by sending crafted ICMP or ICMPv6 echo reply packets, which trigger an integer underflow and cause the device to crash due to a heap out-of-bounds read.

The attack requires proximity to the target network and does not require any privileges or user interaction, but it can disrupt device operation and network services.

Detection Guidance

This vulnerability is triggered by crafted ICMP or ICMPv6 echo reply packets when outgoing ping support is enabled (ipconfigSUPPORT_OUTGOING_PINGS setting). Detection involves monitoring for unusual or malformed ICMP echo reply packets that could cause an integer underflow.

Since the vulnerability involves an integer underflow caused by packets with packet length fields smaller than header sizes, network detection tools could be configured to alert on ICMP echo replies with suspiciously small or malformed length fields.

Specific commands to detect this vulnerability are not provided in the available resources.

Mitigation Strategies

The primary mitigation step is to upgrade FreeRTOS-Plus-TCP to a fixed version: V4.2.6 or V4.4.1, where this vulnerability has been patched.

Alternatively, disabling outgoing ping support by setting ipconfigSUPPORT_OUTGOING_PINGS to 0 in the FreeRTOSIPConfig.h configuration file can mitigate the issue, as the vulnerability only triggers when outgoing ping support is enabled.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7423. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart