Skip to main content

FastNetMon CVE-2026-48689

| EUVDEUVD-2026-31956 CRITICAL
Out-of-bounds Write (CWE-787)
2026-05-26 mitre GHSA-5444-f65m-f3c8
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
May 26, 2026 - 21:28 vuln.today
CVSS changed
May 26, 2026 - 20:22 NVD
9.8 (CRITICAL)
CVE Published
May 26, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

FastNetMon Community Edition through 1.2.9 contains an off-by-one heap-based buffer overflow in the dynamic_binary_buffer_t class (src/dynamic_binary_buffer.hpp). Five methods (append_dynamic_buffer, append_data_as_pointer, append_data_as_object_ptr, memcpy_from_ptr, memcpy_from_object_ptr) use an incorrect bounds check of the form 'if (offset + length > maximum_internal_storage_size + 1)' instead of the correct 'if (offset + length > maximum_internal_storage_size)'. This allows writing exactly one byte past the end of the heap-allocated buffer. The class is used pervasively in BGP message encoding/decoding, NetFlow template processing, and Flow Spec NLRI construction. An attacker who can send network traffic (NetFlow, sFlow, IPFIX, or BGP) to a FastNetMon instance can trigger this overflow, potentially achieving arbitrary code execution by corrupting heap metadata. Notably, the append_byte() method uses the correct bounds check, confirming the inconsistency.

AnalysisAI

Remote code execution in FastNetMon Community Edition through 1.2.9 stems from an off-by-one heap write in the pervasively-used dynamic_binary_buffer_t class, reachable by anyone who can send NetFlow, sFlow, IPFIX, or BGP traffic to the DDoS-detection appliance. Because the flawed buffer is exercised during BGP encoding/decoding, NetFlow template parsing, and Flow Spec NLRI construction, an unauthenticated network attacker can corrupt adjacent heap metadata and potentially execute arbitrary code. The flaw carries a critical CVSS 9.8 (AV:N/AC:L/PR:N/UI:N), but no public exploit is identified at time of analysis and it is not listed in CISA KEV.

Technical ContextAI

FastNetMon is an open-source/commercial DDoS detection and mitigation tool that ingests high-volume flow telemetry (NetFlow v5/v9, IPFIX, sFlow) and speaks BGP/Flow Spec to trigger blackholing or filtering. The defect is a classic CWE-787 out-of-bounds write: in src/dynamic_binary_buffer.hpp, five methods (append_dynamic_buffer, append_data_as_pointer, append_data_as_object_ptr, memcpy_from_ptr, memcpy_from_object_ptr) guard copies with 'if (offset + length > maximum_internal_storage_size + 1)' rather than the correct '> maximum_internal_storage_size', permitting exactly one byte to be written past the end of the heap allocation. The append_byte() method uses the correct check, which both confirms the bug is an inconsistency rather than intended slack and narrows the root cause. Because dynamic_binary_buffer_t backs the binary serialization paths for multiple wire protocols, the off-by-one is triggerable from several distinct, attacker-influenced parsing/encoding routines. The CPE string supplied (cpe:2.3:a:n/a:n/a:*) is a malformed placeholder and does not identify the product, so exact affected-package identification relies on the description.

RemediationAI

No vendor-released patch version is identified at time of analysis - the references point to the upstream repository and the affected header file rather than to a tagged fixed release, so monitor the FastNetMon project (https://github.com/pavel-odintsov/fastnetmon) for a release above 1.2.9 that corrects the five bounds checks from '> maximum_internal_storage_size + 1' to '> maximum_internal_storage_size', and apply it as the primary fix. Until a patched build is available, reduce exposure with network-layer controls: restrict the NetFlow/sFlow/IPFIX collector ports and the BGP listener (TCP/179) with firewall ACLs so only known, trusted exporters and BGP peers can reach the instance - accepting that this breaks telemetry or peering from any source you forget to allowlist; place the FastNetMon management/collector interface on an isolated network segment unreachable from untrusted hosts; and consider temporarily disabling BGP/Flow Spec announcement features if they are not in active use, with the trade-off that automated mitigation actions will stop. Organizations building from source may also apply the one-line correction to dynamic_binary_buffer.hpp directly. Consult the third-party technical write-up at https://lorikeetsecurity.com/blog/fastnetmon-cve-2026-48689-dynamic-buffer-off-by-one and the VulDB advisory at https://vuldb.com/vuln/365762 for further detail.

More in N A

View all
CVE-2026-31072 CRITICAL POC
9.8 May 19

Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali

CVE-2026-36356 CRITICAL POC
9.1 May 05

Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST

CVE-2026-31071 CRITICAL POC
9.1 May 19

Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al

CVE-2025-66391 HIGH POC
8.8 Jun 17

In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o

CVE-2026-26740 HIGH POC
8.2 Mar 18

Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when

CVE-2025-60464 HIGH POC
7.8 Jun 25

Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_

CVE-2026-36355 HIGH POC
7.7 May 05

Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc

CVE-2025-60474 HIGH POC
7.5 Jun 24

Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s

CVE-2026-38639 HIGH POC
7.5 Jun 26

An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S

CVE-2026-38641 HIGH POC
7.5 Jun 26

Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge

CVE-2026-38637 HIGH POC
7.5 Jun 25

An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S

CVE-2026-38640 HIGH POC
7.5 Jun 25

Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce

Share

CVE-2026-48689 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy