JustAppSec
Back to news

DHCPv6 parser underflow freezes FreeRTOS-Plus-TCP IP task permanently

2 min readPublished 29 Apr 2026Source: GitHub Security Advisory
CVE-2026-7424NewsEmbedded SecurityNetwork Security

TL;DR - A crafted DHCPv6 message triggers an integer underflow in FreeRTOS-Plus-TCP's sub-option parser. It corrupts the device's IPv6 address, DNS config, and lease state - then hard-freezes the IP task. Recovery requires a hardware reset. Patch to V4.4.1 or V4.2.6.

What happened

FreeRTOS-Plus-TCP is the TCP/IP stack bundled with FreeRTOS, running on a huge range of constrained embedded devices.

The advisory discloses an integer underflow in the DHCPv6 sub-option parser. An attacker on the same network segment sends a crafted DHCPv6 message. The underflow corrupts parser state, which lets the attacker poison the device's IPv6 address assignment, DNS configuration, and lease timings. The end state is a permanent IP task freeze - the device loses network connectivity and does not recover without a hardware reset.

ItemDetail
Affected versions>= V4.0.0 and <= V4.2.5; >= V4.3.0 and <= V4.4.0
Patched versionsV4.2.6, V4.4.1
SeverityCVSS v3 base score 8.1 (High)
CVSS vectorCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

DHCP parsing bugs are a recurring high-impact class in embedded networking. "Adjacent" in the CVSS vector often means anyone on the same Wi-Fi network or VLAN in practice - not a high bar for an attacker to clear.

Who is impacted

  • Devices and products embedding FreeRTOS-Plus-TCP in the affected version ranges.
  • Deployments where an attacker can reach DHCPv6 traffic on the same local network segment.
  • Fleets where an IP-task freeze means a truck-roll, watchdog reboot, or manual intervention. Availability and operational cost are the real blast radius here.

What to do now

  • Upgrade to the patched release for your branch - V4.4.1 if you're on the V4.3.x/V4.4.x line, V4.2.6 if you're on V4.2.x.

    "This issue has been addressed in FreeRTOS-Plus-TCP version V4.4.1 and V4.2.6. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes."

  • If you cannot upgrade immediately, reduce exposure:
    • Disable DHCPv6 and configure IPv6 addressing statically if your environment allows it.
    • Restrict DHCPv6 traffic to trusted sources on the local network segment.
  • Do the inventory work:
    • Identify every firmware image and product that vendors FreeRTOS-Plus-TCP, including forks and derivative codebases.
    • Confirm which branch line you are on (V4.2.x vs V4.4.x) before you pick a target release.
  • After patching, validate IPv6 and DNS configuration state on affected devices - not just "it boots".

Additional information

  • GitHub Security Advisory identifier: GHSA-wrhm-c99p-2p8g.
  • No CWEs are listed for this issue in the advisory.

Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.

Need help?Get in touch.