CVE-2026-7422

MEDIUM 6.5

MAC Address Validation Bypass in FreeRTOS-Plus-TCP IPv4 and IPv6 Packet Processing

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

0th

Insufficient packet validation in FreeRTOS-Plus-TCP before V4.2.6 and V4.4.1 allows an adjacent network actor to bypass all checksum and minimum-size validation by spoofing the Ethernet source MAC address to match one of the device's own registered endpoints, because the loopback detection mechanism skips all input validation for packets whose source MAC matches a local endpoint. To mitigate this issue, users should upgrade to the fixed version when available.

CWE	CWE-290
Vendor	aws
Product	freertos-plus-tcp
Published	Apr 29, 2026
Last Updated	Apr 29, 2026

Stay Ahead of the Next One

Get instant alerts for aws freertos-plus-tcp

Be the first to know when new medium vulnerabilities affecting aws freertos-plus-tcp are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Affected Versions

AWS / FreeRTOS-Plus-TCP

4.0.0 < 4.2.6 4.3.0 < 4.4.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/releases/tag/V4.4.1 github.com: https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/releases/tag/V4.2.6 aws.amazon.com: https://aws.amazon.com/security/security-bulletins/2026-021-aws/ github.com: https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/security/advisories/GHSA-jpw4-6h59-62w9