CVE-2026-7423
Integer Underflow in FreeRTOS-Plus-TCP Echo Reply Handlers
Publication date: 2026-04-29
Last updated on: 2026-05-04
Assigner: AMZN
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| amazon | freertos-plus-tcp | From 4.0.0 (inc) to 4.2.6 (exc) |
| amazon | freertos-plus-tcp | From 4.3.0 (inc) to 4.4.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-191 | The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an integer underflow in the ICMP and ICMPv6 echo reply handlers in FreeRTOS-Plus-TCP versions before V4.4.1 and V4.2.6.
It occurs because header sizes are subtracted from a packet length field without checking if the field is large enough, which leads to a heap out-of-bounds read of up to approximately 65KB.
An adjacent network user can exploit this issue to cause a denial of service by crashing the device when outgoing ping support is enabled.
How can this vulnerability impact me? :
This vulnerability can cause a denial of service by crashing the affected device.
An attacker on an adjacent network can exploit this issue to trigger a device crash, potentially disrupting network operations or device availability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this issue, users should upgrade to the fixed version of FreeRTOS-Plus-TCP, specifically version V4.4.1 or V4.2.6 or later.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability primarily causes a denial of service (device crash) due to an integer underflow in the ICMP and ICMPv6 echo reply handlers when outgoing ping support is enabled.
There is no information provided in the available context or resources about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves an integer underflow in the ICMP and ICMPv6 echo reply handlers when outgoing ping support is enabled in FreeRTOS-Plus-TCP. Detection would involve monitoring for abnormal device crashes or denial of service conditions triggered by crafted ICMP echo reply packets.
Since the issue arises when the ipconfigSUPPORT_OUTGOING_PINGS setting is enabled, one detection approach is to verify if this setting is active in your FreeRTOS configuration.
Network detection could include capturing and analyzing ICMP and ICMPv6 echo reply packets for suspiciously small packet length fields that could trigger the underflow.
However, no specific detection commands or tools are provided in the available resources.
Can you explain this vulnerability to me?
CVE-2026-7423 is an integer underflow vulnerability in the ICMP and ICMPv6 echo reply handlers of FreeRTOS-Plus-TCP versions before V4.4.1 and V4.2.6. This occurs when the outgoing ping support is enabled, and the code subtracts header sizes from a packet length field without verifying that the field is large enough. If the packet length is smaller than the header size, an underflow happens, causing the system to read beyond the allocated heap buffer by up to approximately 65KB.
This vulnerability can be triggered by an adjacent network user sending specially crafted packets, leading to a heap out-of-bounds read and potentially causing the device to crash.
The issue has been fixed in FreeRTOS-Plus-TCP versions V4.4.1 and V4.2.6. Mitigation can also be achieved by disabling the outgoing ping support feature.
How can this vulnerability impact me? :
This vulnerability primarily impacts the availability of affected devices by causing a denial of service (DoS) condition.
An attacker on an adjacent network can exploit this flaw by sending crafted ICMP or ICMPv6 echo reply packets, which trigger an integer underflow and cause the device to crash due to a heap out-of-bounds read.
The attack requires proximity to the target network and does not require any privileges or user interaction, but it can disrupt device operation and network services.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is triggered by crafted ICMP or ICMPv6 echo reply packets when outgoing ping support is enabled (ipconfigSUPPORT_OUTGOING_PINGS setting). Detection involves monitoring for unusual or malformed ICMP echo reply packets that could cause an integer underflow.
Since the vulnerability involves an integer underflow caused by packets with packet length fields smaller than header sizes, network detection tools could be configured to alert on ICMP echo replies with suspiciously small or malformed length fields.
Specific commands to detect this vulnerability are not provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade FreeRTOS-Plus-TCP to a fixed version: V4.2.6 or V4.4.1, where this vulnerability has been patched.
Alternatively, disabling outgoing ping support by setting ipconfigSUPPORT_OUTGOING_PINGS to 0 in the FreeRTOSIPConfig.h configuration file can mitigate the issue, as the vulnerability only triggers when outgoing ping support is enabled.