Skip to main content

FastNetMon Community CVE-2026-48686

| EUVDEUVD-2026-31842 CRITICAL
Classic Buffer Overflow (CWE-120)
2026-05-26 mitre GHSA-7p7c-c3vp-p386
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jun 08, 2026 - 08:33 vuln.today
CVSS changed
May 26, 2026 - 21:22 NVD
9.8 (CRITICAL)
CVE Published
May 26, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

FastNetMon Community Edition through 1.2.9 contains a stack-based buffer overflow in the BGP NLRI (Network Layer Reachability Information) decoder. The function decode_bgp_subnet_encoding_ipv4_raw() in src/bgp_protocol.cpp reads prefix_bit_length directly from the BGP packet (line 99) without validating it is <= 32 for IPv4 prefixes. This value is passed to how_much_bytes_we_need_for_storing_certain_subnet_mask() which computes ceil(prefix_bit_length / 8), returning up to 32 bytes for a prefix_bit_length of 255. The result is used as the length argument to memcpy() (line 106), which copies into a 4-byte uint32_t stack variable (prefix_ipv4). This causes a stack buffer overflow of up to 28 bytes, which can be exploited for arbitrary code execution. Additionally, the unvalidated prefix_bit_length is passed to convert_cidr_to_binary_netmask_local_function_copy() (line 111), where a shift of (32 - cidr) with cidr > 32 causes undefined behavior.

AnalysisAI

Stack-based buffer overflow in FastNetMon Community Edition through 1.2.9 allows remote unauthenticated attackers to achieve arbitrary code execution by sending a crafted BGP UPDATE message containing a malformed NLRI prefix length value. The vulnerable function decode_bgp_subnet_encoding_ipv4_raw() in src/bgp_protocol.cpp reads prefix_bit_length directly from the wire without bounding it to the IPv4 maximum of 32, enabling a memcpy of up to 32 bytes into a 4-byte stack variable - a potential 28-byte stack smash. Despite a critical CVSS score of 9.8 and SSVC technical impact rated 'total', EPSS sits at just 0.02% (7th percentile) and SSVC exploitation status is 'none', indicating no known active exploitation at time of analysis; however, a public security research writeup from Lorikeetsecurity exists that details the flaw.

Technical ContextAI

FastNetMon Community Edition is an open-source DDoS detection tool that processes live BGP session data. The vulnerable code path is in src/bgp_protocol.cpp, where the function decode_bgp_subnet_encoding_ipv4_raw() handles BGP NLRI (Network Layer Reachability Information) encoding for IPv4 prefixes as part of BGP UPDATE message parsing. CWE-120 (Buffer Copy without Checking Size of Input - 'Classic Buffer Overflow') is the root cause class: prefix_bit_length is read directly from the attacker-controlled BGP packet at line 99 with no validation that the value is bounded by 32 (the maximum valid IPv4 prefix length). The helper function how_much_bytes_we_need_for_storing_certain_subnet_mask() computes ceil(prefix_bit_length / 8), which returns up to 32 bytes when prefix_bit_length is 255. That computed length is passed directly to memcpy() at line 106, copying into a 4-byte uint32_t stack variable (prefix_ipv4), producing a stack overflow of up to 28 bytes. A secondary undefined-behavior flaw exists at line 111 in convert_cidr_to_binary_netmask_local_function_copy(), where a bitwise left shift of (32 - cidr) with cidr > 32 produces undefined behavior per the C standard. The CPE data provided (cpe:2.3:a:n/a:n/a) is non-informative; affected product identity is confirmed from the description and GitHub repository reference.

RemediationAI

No vendor-released patched version has been identified in the available data at time of analysis. Operators should monitor the FastNetMon GitHub repository at https://github.com/pavel-odintsov/fastnetmon for a patched release and apply it immediately upon availability. As a compensating control, restrict BGP session peering to explicitly trusted IP addresses using firewall ACLs or BGP peer authentication (TCP MD5 or BGP OPEN message authentication), which reduces the exploitable attack surface to only established, trusted BGP peers - note this does not eliminate risk if a trusted peer is compromised. Disabling or isolating the BGP listener component entirely is the most effective workaround if BGP feed functionality is not operationally required, though this will disable BGP-based traffic visibility. Network segmentation placing FastNetMon listeners behind a BGP-aware firewall or route reflector that drops malformed NLRI attributes can provide additional defense. Review the Lorikeetsecurity security advisory at https://lorikeetsecurity.com/blog/fastnetmon-cve-2026-48686-bgp-nlri-stack-overflow for any researcher-identified mitigations.

More in N A

View all
CVE-2026-31072 CRITICAL POC
9.8 May 19

Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali

CVE-2026-36356 CRITICAL POC
9.1 May 05

Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST

CVE-2026-31071 CRITICAL POC
9.1 May 19

Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al

CVE-2025-66391 HIGH POC
8.8 Jun 17

In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o

CVE-2026-26740 HIGH POC
8.2 Mar 18

Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when

CVE-2025-60464 HIGH POC
7.8 Jun 25

Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_

CVE-2026-36355 HIGH POC
7.7 May 05

Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc

CVE-2025-60474 HIGH POC
7.5 Jun 24

Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s

CVE-2026-38639 HIGH POC
7.5 Jun 26

An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S

CVE-2026-38641 HIGH POC
7.5 Jun 26

Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge

CVE-2026-38637 HIGH POC
7.5 Jun 25

An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S

CVE-2026-38640 HIGH POC
7.5 Jun 25

Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce

Share

CVE-2026-48686 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy