CVE-2026-7424
Published: 29 April 2026
Summary
CVE-2026-7424 is a high-severity Wrap or Wraparound (CWE-191) vulnerability in Amazon Freertos-Plus-Tcp. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 3.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the integer underflow vulnerability by requiring timely remediation through patching FreeRTOS-Plus-TCP to fixed versions V4.2.6 or V4.4.1.
Requires validation of incoming DHCPv6 sub-option data to prevent integer underflow exploitation from crafted packets.
Enforces least functionality by disabling DHCPv6 when not required, eliminating exposure to the vulnerability present whenever the feature is enabled.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The integer underflow in the DHCPv6 sub-option parser allows an adjacent network attacker to send a single crafted packet that corrupts IPv6/DNS/lease configuration and causes a permanent IP task freeze requiring hardware reset, directly mapping to exploitation of the system/application for denial of service.
NVD Description
Integer underflow in the DHCPv6 sub-option parser in FreeRTOS-Plus-TCP before V4.4.1 and V4.2.6 allows an adjacent network actor to corrupt the device's IPv6 address assignment, DNS configuration, and lease times, and to cause a denial of service (permanent IP task…
more
freeze requiring hardware reset) by sending a single crafted DHCPv6 packet. The issue is present whenever DHCPv6 is enabled. To mitigate this issue, users should upgrade to version V4.2.6 or V4.4.1 or newer.
Deeper analysisAI
CVE-2026-7424 is an integer underflow vulnerability (CWE-191) in the DHCPv6 sub-option parser within FreeRTOS-Plus-TCP versions before V4.4.1 and V4.2.6. It affects embedded devices or systems using this TCP/IP stack when DHCPv6 is enabled, as the flaw exists whenever that feature is active. Published on 2026-04-29, it carries a CVSS v3.1 base score of 8.1 (AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H), highlighting high impacts on integrity and availability with no confidentiality effects.
An adjacent network actor can exploit this vulnerability by sending a single crafted DHCPv6 packet, requiring low attack complexity and no privileges or user interaction. Successful exploitation allows the attacker to corrupt the device's IPv6 address assignment, DNS configuration, and lease times, while also triggering a denial of service through a permanent IP task freeze that necessitates a hardware reset.
Mitigation requires upgrading to FreeRTOS-Plus-TCP V4.2.6, V4.4.1, or newer versions, as stated in the official advisories. Relevant resources include the AWS security bulletin at https://aws.amazon.com/security/security-bulletins/2026-022-aws/, GitHub release tags for V4.2.6 and V4.4.1, and the security advisory at https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/security/advisories/GHSA-wrhm-c99p-2p8g.
Details
- CWE(s)