Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
FastNetMon Community Edition through 1.2.9 contains a stack-based buffer overflow in the BGP NLRI (Network Layer Reachability Information) decoder. The function decode_bgp_subnet_encoding_ipv4_raw() in src/bgp_protocol.cpp reads prefix_bit_length directly from the BGP packet (line 99) without validating it is <= 32 for IPv4 prefixes. This value is passed to how_much_bytes_we_need_for_storing_certain_subnet_mask() which computes ceil(prefix_bit_length / 8), returning up to 32 bytes for a prefix_bit_length of 255. The result is used as the length argument to memcpy() (line 106), which copies into a 4-byte uint32_t stack variable (prefix_ipv4). This causes a stack buffer overflow of up to 28 bytes, which can be exploited for arbitrary code execution. Additionally, the unvalidated prefix_bit_length is passed to convert_cidr_to_binary_netmask_local_function_copy() (line 111), where a shift of (32 - cidr) with cidr > 32 causes undefined behavior.
AnalysisAI
Stack-based buffer overflow in FastNetMon Community Edition through 1.2.9 allows remote unauthenticated attackers to achieve arbitrary code execution by sending a crafted BGP UPDATE message containing a malformed NLRI prefix length value. The vulnerable function decode_bgp_subnet_encoding_ipv4_raw() in src/bgp_protocol.cpp reads prefix_bit_length directly from the wire without bounding it to the IPv4 maximum of 32, enabling a memcpy of up to 32 bytes into a 4-byte stack variable - a potential 28-byte stack smash. Despite a critical CVSS score of 9.8 and SSVC technical impact rated 'total', EPSS sits at just 0.02% (7th percentile) and SSVC exploitation status is 'none', indicating no known active exploitation at time of analysis; however, a public security research writeup from Lorikeetsecurity exists that details the flaw.
Technical ContextAI
FastNetMon Community Edition is an open-source DDoS detection tool that processes live BGP session data. The vulnerable code path is in src/bgp_protocol.cpp, where the function decode_bgp_subnet_encoding_ipv4_raw() handles BGP NLRI (Network Layer Reachability Information) encoding for IPv4 prefixes as part of BGP UPDATE message parsing. CWE-120 (Buffer Copy without Checking Size of Input - 'Classic Buffer Overflow') is the root cause class: prefix_bit_length is read directly from the attacker-controlled BGP packet at line 99 with no validation that the value is bounded by 32 (the maximum valid IPv4 prefix length). The helper function how_much_bytes_we_need_for_storing_certain_subnet_mask() computes ceil(prefix_bit_length / 8), which returns up to 32 bytes when prefix_bit_length is 255. That computed length is passed directly to memcpy() at line 106, copying into a 4-byte uint32_t stack variable (prefix_ipv4), producing a stack overflow of up to 28 bytes. A secondary undefined-behavior flaw exists at line 111 in convert_cidr_to_binary_netmask_local_function_copy(), where a bitwise left shift of (32 - cidr) with cidr > 32 produces undefined behavior per the C standard. The CPE data provided (cpe:2.3:a:n/a:n/a) is non-informative; affected product identity is confirmed from the description and GitHub repository reference.
RemediationAI
No vendor-released patched version has been identified in the available data at time of analysis. Operators should monitor the FastNetMon GitHub repository at https://github.com/pavel-odintsov/fastnetmon for a patched release and apply it immediately upon availability. As a compensating control, restrict BGP session peering to explicitly trusted IP addresses using firewall ACLs or BGP peer authentication (TCP MD5 or BGP OPEN message authentication), which reduces the exploitable attack surface to only established, trusted BGP peers - note this does not eliminate risk if a trusted peer is compromised. Disabling or isolating the BGP listener component entirely is the most effective workaround if BGP feed functionality is not operationally required, though this will disable BGP-based traffic visibility. Network segmentation placing FastNetMon listeners behind a BGP-aware firewall or route reflector that drops malformed NLRI attributes can provide additional defense. Review the Lorikeetsecurity security advisory at https://lorikeetsecurity.com/blog/fastnetmon-cve-2026-48686-bgp-nlri-stack-overflow for any researcher-identified mitigations.
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali
Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST
Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o
Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when
Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_
Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s
An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce
Same weakness CWE-120 – Classic Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31842
GHSA-7p7c-c3vp-p386