Medium severity6.5NVD Advisory· Published Apr 29, 2026· Updated May 4, 2026

CVE-2026-7422

Description

Insufficient packet validation in FreeRTOS-Plus-TCP before V4.2.6 and V4.4.1 allows an adjacent network actor to bypass all checksum and minimum-size validation by spoofing the Ethernet source MAC address to match one of the device's own registered endpoints, because the loopback detection mechanism skips all input validation for packets whose source MAC matches a local endpoint.

To mitigate this issue, users should upgrade to the fixed version when available.

Affected products

FreeRTOS/Freertos Plus Tcpreferences
Amazon (company)/Freertos Plus Tcp
cpe:2.3:a:amazon:freertos-plus-tcp:*:*:*:*:*:*:*:*
Range: >=4.0.0,<4.2.6

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

aws.amazon.com/security/security-bulletins/2026-021-aws/nvdVendor Advisory
github.com/FreeRTOS/FreeRTOS-Plus-TCP/security/advisories/GHSA-jpw4-6h59-62w9nvdVendor AdvisoryPatch
github.com/FreeRTOS/FreeRTOS-Plus-TCP/releases/tag/V4.2.6nvdRelease Notes
github.com/FreeRTOS/FreeRTOS-Plus-TCP/releases/tag/V4.4.1nvdRelease Notes

News mentions

No linked articles in our index yet.

cvss	0.423
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000