Apache NuttX RTOS memory flaw exposes IoT devices to remote crashes
Take action: If you are using devices with NuttX, make sure all devices are isolated from the internet and accessible from trusted networks only. Update any hardware running Apache NuttX to version 12.11.0, especially if the device uses network file services with write permissions. In the meantime, disable file upload/sharing where possible.
Learn More
The Apache Software Foundation fixed a memory bug in the NuttX Real-Time Operating System (RTOS). NuttX is a popular choice for resource-constrained environments like factory sensor, making this issue a significant risk for the Internet of Things (IoT) and industrial sectors. It also runs on many small gadgets like smartwatches.
The flaw is tracked as CVE-2025-48769 (CVSS score 9.8) - A Use After Free vulnerability in the fs/vfs/fs_rename function that allows remote code execution or system crashes.
The bug is in the code that renames files which uses one memory block for two different tasks at the same time. When the system renames a file, it can delete a piece of memory and then try to write new data into that same empty spot. This Use After Free error lets an attacker scramble the system's memory heap.
Attackers can use this flaw if a device shares files over a network, like through an FTP server. By sending rename commands, an attacker can cause a kernel panic. This freezes the device until someone restarts it by hand. It can also move files to the wrong folders, which might leak secrets or break how the device works.
Developers should update their devices to Apache NuttX version 12.11.0. If you can't update yet, turn off network file sharing or stop users from writing to the file system from the internet.
