Issue with FreeRTOS-Plus-TCP - MAC Address Validation Bypass and ICMP Echo Reply Integer Underflow
Bulletin ID: 2026-021-AWS
Scope: AWS
Content Type: Important (requires attention)
Publication Date: 04/29/2026 11:45 AM PDT
Description:
FreeRTOS-Plus-TCP is a scalable, open source, and thread-safe TCP/IP stack for FreeRTOS.
- CVE-2026-7422: Insufficient packet validation in the IPv4 and IPv6 receive paths allows an adjacent network device to send a packet that bypasses checksum and minimum-size validation by spoofing the Ethernet source MAC address to match one of the target device's own registered endpoints.
- CVE-2026-7423: Integer underflow in the ICMP and ICMPv6 echo reply handlers allows an adjacent network device to cause a denial of service (device crash) when outgoing ping support is enabled, because header sizes are subtracted from a packet length field without validating the field is large enough, resulting in a heap out-of-bounds read.
Impacted versions: >=V4.0.0 AND <=V4.2.5, >=V4.3.0 AND <=V4.4.0
Resolution:
This issue has been addressed in FreeRTOS-Plus-TCP version V4.4.1 and V4.2.6. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes.
Workarounds:
CVE-2026-7422 (ICMP integer underflow) can be mitigated by disabling outgoing ping support by setting ipconfigSUPPORT_OUTGOING_PINGS to 0 in your FreeRTOSIPConfig.h configuration file, or by updating to a fixed version. Mitigating CVE-2026-7423 (MAC address validation bypass) requires updating to a fixed version.
References:
Acknowledgment:
We would like to thank Espilon for collaborating on this issue through the coordinated vulnerability disclosure process.
Please email aws-security@amazon.com with any security questions or concerns.