Ddos 
The Apache Software Foundation has released updates for Apache NuttX, a real-time operating system (RTOS) widely used in environments ranging from 8-bit to 64-bit microcontrollers. The alerts highlight two distinct vulnerabilities within the OS’s filesystem management that could allow attackers to crash systems or corrupt memory, particularly in devices exposing file services over a network.
The more severe of the two flaws, rated as Moderate, is a “Use After Free” vulnerability tracked as CVE-2025-48769.
The issue resides in the fs/vfs/fs_rename code, which handles renaming files. According to the advisory, the flaw stems from a “recursive implementation and single buffer use by two different pointer variables”. This coding error allows a user to trigger a reallocation of a buffer with an arbitrary size and subsequently write to a heap chunk that has already been freed.
In specific scenarios, this memory corruption “could cause unintended virtual filesystem rename/move operation results”.
Affected Versions: Apache NuttX RTOS 7.20 through versions prior to 12.11.0.
The second vulnerability, rated as Low severity, involves a logic error that could lead to a Denial of Service (DoS). Tracked as CVE-2025-48768, this flaw exists in the fs/inode/fs_inoderemove code .
The bug allows for the “root filesystem inode removal,” an action that should typically be forbidden. Triggering this can lead to a “NULL pointer dereference” or hit a debug assertion, effectively crashing the system. The impact varies depending on the target architecture but generally results in a system freeze or crash.
Affected Versions: Apache NuttX RTOS 10.0.0 through versions prior to 12.10.0.
While these bugs are located deep in the OS kernel, they are reachable remotely if the device exposes filesystem services. The advisory explicitly warns users of “virtual filesystem based services with write access especially when exposed over the network (i.e. FTP)”.
Administrators and developers using Apache NuttX are advised to upgrade their builds immediately:
- To fix the Use After Free (CVE-2025-48769), upgrade to version 12.11.0.
- To fix the Root Inode Removal (CVE-2025-48768), upgrade to version 12.10.0.
Related Posts:
- Apache NuttX Vulnerable: Remote Code Execution via Bluetooth Stack Flaw Affects Embedded Systems
- Major npm flaw crashes Linux Systems, force users to reinstall
- Mozilla Releases Security Updates to fix critical bugs in Firefox and Firefox ESR
- Mozilla Releases Security Updates to fix critical bugs in Firefox and Firefox ESR
Donate