Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionCVE.org
FastNetMon Community Edition through 1.2.9 contains an integer overflow vulnerability in the packet capture buffer allocation. In src/packet_storage.hpp, the allocate_buffer() function computes memory_size_in_bytes as 'buffer_size_in_packets * (max_captured_packet_size + sizeof(fastnetmon_pcap_pkthdr_t)) + sizeof(fastnetmon_pcap_file_header_t)' using unsigned int (32-bit) arithmetic. With max_captured_packet_size=1500 and sizeof(fastnetmon_pcap_pkthdr_t)=16, each packet requires approximately 1516 bytes. If buffer_size_in_packets exceeds approximately 2,832,542, the multiplication overflows, resulting in a much smaller allocation than expected. Subsequent write_packet() calls then write past the allocated buffer, causing heap corruption. The buffer_size_in_packets value is derived from the ban_details_records_count configuration parameter, which is parsed using atoi() with no overflow checking.
AnalysisAI
Heap corruption in FastNetMon Community Edition through 1.2.9 allows authenticated local users to trigger an integer overflow in the packet capture buffer allocation routine, resulting in undersized allocations followed by out-of-bounds heap writes during packet storage. The flaw stems from 32-bit unsigned arithmetic in allocate_buffer() in src/packet_storage.hpp, where a sufficiently large ban_details_records_count configuration value causes the memory size calculation to wrap. No public exploit identified at time of analysis and EPSS exploitation probability is negligible at 0.01%.
Technical ContextAI
FastNetMon is an open-source DDoS detection and traffic analysis tool that captures packets into a pre-allocated ring-style buffer for forensic recording when bans are triggered. The vulnerable routine computes memory_size_in_bytes using unsigned 32-bit arithmetic as buffer_size_in_packets * (max_captured_packet_size + sizeof(fastnetmon_pcap_pkthdr_t)) + sizeof(fastnetmon_pcap_file_header_t); with the default 1500-byte capture size plus a 16-byte pcap packet header, each packet consumes ~1516 bytes, so a buffer_size_in_packets value above approximately 2,832,542 wraps the 32-bit product. The buffer_size_in_packets is derived from the ban_details_records_count configuration parameter parsed via atoi(), which performs no range or overflow validation. This maps to CWE-122 (Heap-based Buffer Overflow): the undersized allocation succeeds, then write_packet() iterates assuming the originally-requested size and writes past the heap chunk, corrupting adjacent heap metadata or objects.
RemediationAI
No vendor-released patch identified at time of analysis; the CVE references point to the upstream repository and the Lorikeet Security disclosure at https://lorikeetsecurity.com/blog/fastnetmon-cve-2026-48690-packet-storage-integer-overflow rather than a tagged fix release, so operators should monitor https://github.com/pavel-odintsov/fastnetmon for a release above 1.2.9 and upgrade once published. As an interim compensating control, set ban_details_records_count in fastnetmon.conf to a conservative value well below 2,832,542 (e.g., the default or a few thousand records) - this directly prevents the multiplication from wrapping and has the trade-off of reducing the per-ban packet capture depth used for forensics. Additionally, restrict write access to fastnetmon.conf and the service's configuration management path to root/trusted operators only, since the overflow is reached through the configuration parser; this has minimal operational side effect in typical deployments where only administrators tune the tool.
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali
Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST
Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o
Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when
Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_
Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s
An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Heap Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31897
GHSA-h9r4-jj3x-8857