CVE-2025-48769 — Use-After-Free Vulnerability in Apache NuttX RTOS

CyberDefender 2 mins0

CVE-2025-48769 is a Use After Free memory corruption vulnerability in the Apache NuttX Real-Time Operating System (RTOS). It affects the virtual filesystem rename code (fs/vfs/fs_rename), and can lead to unstable behavior such as unintended file rename/move results or system crashes.

Affected Software

  • Apache NuttX RTOS versions from 7.20 up to (but not including) 12.11.0
    Systems running these versions are vulnerable.

Technical Details

  • Vulnerability Type: Use After Free (CWE-416)
  • The bug arises because the code uses a single buffer with two different pointers, which can lead to writing into freed memory.
  • This unsafe memory handling can corrupt heap memory, potentially causing unintended filesystem behavior or crashes, particularly when filesystem services are exposed on a network.

Severity

  • While different sources vary in how they label the severity, security scanners (e.g., Tenable) indicate:
    • CVSS v3.0 Score: ~9.8 (Critical severity)
    • CVSS v2 Score: ~7.5 (High severity)
      (Not all databases have published official CVSS scores yet.)

Mitigation / Fix

  • The issue has been fixed in Apache NuttX version 12.11.0.
    Upgrading vulnerable systems to this version or later eliminates the flaw.

Impact

  • Embedded systems, IoT devices, or other specialized hardware running NuttX with network-accessible virtual filesystems are most at risk.
  • No widespread public exploit activity has been reported yet — but the flaw can cause instability or memory corruption if exploited.

CyberDefender