Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
FastNetMon Community Edition through 1.2.9 contains multiple out-of-bounds reads in the BGP MP_REACH_NLRI IPv6 attribute decoder. The function decode_mp_reach_ipv6() in src/bgp_protocol.cpp contains a TODO comment at line 156 explicitly acknowledging 'we should add sanity checks to avoid reads after attribute memory block.' The function casts raw pointers to structure types without verifying sufficient data exists (line 158), uses the attacker-controlled length_of_next_hop field to determine memcpy size (line 181), and computes prefix_length by dereferencing a pointer calculated from multiple attacker-controlled offsets without bounds validation (line 189). The prefix_length is then used to calculate number_of_bytes_required_for_prefix which becomes a memcpy length (line 202) with no check against remaining buffer size.
AnalysisAI
Out-of-bounds read in FastNetMon Community Edition through 1.2.9 allows remote unauthenticated attackers to leak adjacent process memory by sending crafted BGP UPDATE messages containing malformed MP_REACH_NLRI IPv6 attributes. The flaw resides in decode_mp_reach_ipv6() where attacker-controlled length fields drive memcpy operations without bounds validation, and is acknowledged by an in-source TODO comment by the maintainer. No public exploit identified at time of analysis, EPSS is low (0.03%), and CISA SSVC classifies exploitation as 'none' but 'automatable: yes', meaning weaponization is technically straightforward if a threat actor invests effort.
Technical ContextAI
FastNetMon is an open-source DDoS detection and traffic analysis tool that establishes BGP sessions with routers to receive routing updates and signal blackholing/flowspec mitigations. The vulnerable code path is decode_mp_reach_ipv6() in src/bgp_protocol.cpp, which parses BGP multiprotocol extension attribute MP_REACH_NLRI (RFC 4760) for IPv6 address families. The function exhibits classic CWE-125 (Out-of-bounds Read) patterns: raw pointer casts to BGP attribute structures without length verification (line 158), use of attacker-supplied length_of_next_hop as a memcpy size (line 181), and prefix_length dereferenced from a pointer derived from multiple untrusted offsets (line 189) then fed into another unchecked memcpy (line 202). The maintainer's own TODO at line 156 explicitly documents the missing sanity checks, indicating known but unmitigated technical debt.
RemediationAI
No vendor-released patch identified at time of analysis - the referenced source file still contains the TODO acknowledging missing sanity checks, so operators should monitor https://github.com/pavel-odintsov/fastnetmon for a release beyond 1.2.9 and upgrade once an upstream fix lands. As compensating controls, restrict the FastNetMon BGP listener to trusted router peers using host firewall rules (iptables/nftables) or a dedicated management VRF so that only authenticated peer IPs can reach the BGP port (typically TCP/179), which eliminates exposure from arbitrary network attackers at the cost of requiring per-peer firewall maintenance; enable BGP TCP-MD5 or TCP-AO authentication on sessions if both ends support it, noting it does not prevent a malicious peer from sending crafted attributes; and consider disabling MP-BGP IPv6 address-family negotiation on FastNetMon's BGP configuration if IPv6 BGP feeds are not operationally required, which trades IPv6 visibility for elimination of the vulnerable code path. Consult the technical write-up at https://lorikeetsecurity.com/blog/fastnetmon-cve-2026-48688-bgp-mp-reach-nlri-ipv6 for additional context before applying mitigations.
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali
Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST
Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o
Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when
Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_
Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s
An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31844
GHSA-rxgw-72v4-4rvj