Amazon Alerts: High-Severity FreeRTOS-Plus-TCP Flaw Needs Immediate Patch!

Amazon has issued a security advisory for a memory corruption vulnerability in the widely used FreeRTOS-Plus-TCP stack. Tracked as CVE-2025-5688, this out-of-bounds write issue scores 8.4 on the CVSS scale, making it a high-severity flaw that could result in crashes or potentially arbitrary code execution in embedded devices using vulnerable configurations.

FreeRTOS-Plus-TCP is Amazon’s open-source TCP/IP stack designed for use with FreeRTOS, one of the most popular real-time operating systems for microcontrollers and embedded systems. It provides a full suite of networking protocols including IPv6, DHCP, DNS, mDNS, ICMPv6, and more.

It also supports two primary memory management methods:

Buffer Allocation Scheme 1 – Fixed-size buffers from a predefined pool
Buffer Allocation Scheme 2 – Dynamic buffers allocated from the heap

Amazon disclosed: “We identified CVE-2025-5688, that may allow out-of-bounds write when processing LLMNR or mDNS queries with very long DNS names.”

The flaw only affects systems using Buffer Allocation Scheme 1, and only when LLMNR (Link-Local Multicast Name Resolution) or mDNS (Multicast DNS) are enabled.

The affected versions include:

v2.3.4 through v4.3.1, when using LLMNR with Buffer Allocation Scheme 1
v4.0.0 through v4.3.1, when using mDNS with Buffer Allocation Scheme 1

Amazon credits Purdue University for identifying and reporting the vulnerability through a responsible disclosure process.

Amazon urges developers to patch immediately: “This issue has been addressed in FreeRTOS-Plus-TCP version 4.3.2. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes.”

The fix is available on the official GitHub release page.

Rate this post

Related Posts:

Found this helpful?

Leave a Reply Cancel reply