Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
FastNetMon Community Edition through 1.2.9 contains an off-by-one heap-based buffer overflow in the dynamic_binary_buffer_t class (src/dynamic_binary_buffer.hpp). Five methods (append_dynamic_buffer, append_data_as_pointer, append_data_as_object_ptr, memcpy_from_ptr, memcpy_from_object_ptr) use an incorrect bounds check of the form 'if (offset + length > maximum_internal_storage_size + 1)' instead of the correct 'if (offset + length > maximum_internal_storage_size)'. This allows writing exactly one byte past the end of the heap-allocated buffer. The class is used pervasively in BGP message encoding/decoding, NetFlow template processing, and Flow Spec NLRI construction. An attacker who can send network traffic (NetFlow, sFlow, IPFIX, or BGP) to a FastNetMon instance can trigger this overflow, potentially achieving arbitrary code execution by corrupting heap metadata. Notably, the append_byte() method uses the correct bounds check, confirming the inconsistency.
AnalysisAI
Remote code execution in FastNetMon Community Edition through 1.2.9 stems from an off-by-one heap write in the pervasively-used dynamic_binary_buffer_t class, reachable by anyone who can send NetFlow, sFlow, IPFIX, or BGP traffic to the DDoS-detection appliance. Because the flawed buffer is exercised during BGP encoding/decoding, NetFlow template parsing, and Flow Spec NLRI construction, an unauthenticated network attacker can corrupt adjacent heap metadata and potentially execute arbitrary code. The flaw carries a critical CVSS 9.8 (AV:N/AC:L/PR:N/UI:N), but no public exploit is identified at time of analysis and it is not listed in CISA KEV.
Technical ContextAI
FastNetMon is an open-source/commercial DDoS detection and mitigation tool that ingests high-volume flow telemetry (NetFlow v5/v9, IPFIX, sFlow) and speaks BGP/Flow Spec to trigger blackholing or filtering. The defect is a classic CWE-787 out-of-bounds write: in src/dynamic_binary_buffer.hpp, five methods (append_dynamic_buffer, append_data_as_pointer, append_data_as_object_ptr, memcpy_from_ptr, memcpy_from_object_ptr) guard copies with 'if (offset + length > maximum_internal_storage_size + 1)' rather than the correct '> maximum_internal_storage_size', permitting exactly one byte to be written past the end of the heap allocation. The append_byte() method uses the correct check, which both confirms the bug is an inconsistency rather than intended slack and narrows the root cause. Because dynamic_binary_buffer_t backs the binary serialization paths for multiple wire protocols, the off-by-one is triggerable from several distinct, attacker-influenced parsing/encoding routines. The CPE string supplied (cpe:2.3:a:n/a:n/a:*) is a malformed placeholder and does not identify the product, so exact affected-package identification relies on the description.
RemediationAI
No vendor-released patch version is identified at time of analysis - the references point to the upstream repository and the affected header file rather than to a tagged fixed release, so monitor the FastNetMon project (https://github.com/pavel-odintsov/fastnetmon) for a release above 1.2.9 that corrects the five bounds checks from '> maximum_internal_storage_size + 1' to '> maximum_internal_storage_size', and apply it as the primary fix. Until a patched build is available, reduce exposure with network-layer controls: restrict the NetFlow/sFlow/IPFIX collector ports and the BGP listener (TCP/179) with firewall ACLs so only known, trusted exporters and BGP peers can reach the instance - accepting that this breaks telemetry or peering from any source you forget to allowlist; place the FastNetMon management/collector interface on an isolated network segment unreachable from untrusted hosts; and consider temporarily disabling BGP/Flow Spec announcement features if they are not in active use, with the trade-off that automated mitigation actions will stop. Organizations building from source may also apply the one-line correction to dynamic_binary_buffer.hpp directly. Consult the third-party technical write-up at https://lorikeetsecurity.com/blog/fastnetmon-cve-2026-48689-dynamic-buffer-off-by-one and the VulDB advisory at https://vuldb.com/vuln/365762 for further detail.
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali
Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST
Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o
Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when
Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_
Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s
An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce
Same weakness CWE-787 – Out-of-bounds Write
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31956
GHSA-5444-f65m-f3c8