Skip to main content

FRRouting (FRR) CVE-2026-37460

| EUVDEUVD-2026-34083 HIGH
Improper Input Validation (CWE-20)
2026-06-03 cve@mitre.org GHSA-4ph9-3c4q-r2hh
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Source Code Evidence Fetched
Jun 05, 2026 - 20:33 vuln.today
Analysis Generated
Jun 05, 2026 - 20:33 vuln.today
CVSS changed
Jun 05, 2026 - 18:22 NVD
7.5 (HIGH)
CVE Published
Jun 03, 2026 - 14:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Missing input validation in the rfapiRibBi2Ri() function (rfapi_rib.c) of FRRouting (FRR) stable/10.0 to stable/10.6 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP UPDATE message.

AnalysisAI

Remote denial-of-service in FRRouting BGP daemon affects stable branches 10.0 through 10.6 via the rfapiRibBi2Ri() function in the RFAPI module. A remote attacker capable of sending crafted BGP UPDATE messages can crash or hang the routing daemon due to missing input validation on encapsulation sub-TLV length fields. EPSS is very low (0.02%) and no public exploit identified at time of analysis, but the attack surface is any BGP peer the router accepts sessions from.

Technical ContextAI

FRRouting is an open-source IP routing protocol suite (fork of Quagga) widely deployed in Linux-based routers, SONiC, Cumulus, and cloud networking stacks. The flaw sits in the RFAPI (Remote Future API) subsystem used for VPN/EVPN overlay route distribution, specifically rfapi_rib.c which processes encapsulation sub-TLVs attached to BGP UPDATE messages. CWE-20 (Improper Input Validation) applies because the parser dereferences pEncap->length and pEncap->value[1] without first verifying minimum length (<3) or rejecting zero-length values, which can lead to out-of-bounds reads or processing of malformed state. The accompanying commit also patches related missing length checks in process_type2_route, process_type3_route, and bgp_evpn_type4_route_process, indicating a broader pattern of NLRI length-validation gaps in the EVPN/RFAPI code path.

RemediationAI

Upstream fix available (PR/commit https://github.com/FRRouting/frr/pull/21098 and commit 7676cad65114aa23adde58); released patched version not independently confirmed, so operators should track FRR 10.6.x and 10.x maintenance releases for the tagged backport and upgrade once published. As a compensating control until patched, restrict BGP sessions to authenticated, known peers using TCP-AO or MD5 with strict prefix-list and max-prefix limits, and disable the RFAPI/VNC feature in bgpd if it is not in use (configure --disable-bgp-vnc at build time or omit 'rfapi' from daemons.conf) which eliminates the vulnerable code path entirely at the cost of losing VNC/NVA overlay functionality. Network operators should also consider BGP route validation and BGPsec where feasible, and segment management/peering interfaces so that only trusted ASNs can initiate sessions; advisory tracking at https://vuldb.com/vuln/368133 and https://nvd.nist.gov/vuln/detail/CVE-2026-37460.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed
SUSE Linux Enterprise Server 16.0 Fixed
SUSE Linux Enterprise Server 16.1 Fixed

Share

CVE-2026-37460 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy