Skip to main content

FastNetMon Community Edition CVE-2026-48690

| EUVDEUVD-2026-31897 HIGH
Heap-based Buffer Overflow (CWE-122)
2026-05-26 mitre GHSA-h9r4-jj3x-8857
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 08, 2026 - 10:05 vuln.today
CVSS changed
May 26, 2026 - 21:22 NVD
7.1 (HIGH)
CVE Published
May 26, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

FastNetMon Community Edition through 1.2.9 contains an integer overflow vulnerability in the packet capture buffer allocation. In src/packet_storage.hpp, the allocate_buffer() function computes memory_size_in_bytes as 'buffer_size_in_packets * (max_captured_packet_size + sizeof(fastnetmon_pcap_pkthdr_t)) + sizeof(fastnetmon_pcap_file_header_t)' using unsigned int (32-bit) arithmetic. With max_captured_packet_size=1500 and sizeof(fastnetmon_pcap_pkthdr_t)=16, each packet requires approximately 1516 bytes. If buffer_size_in_packets exceeds approximately 2,832,542, the multiplication overflows, resulting in a much smaller allocation than expected. Subsequent write_packet() calls then write past the allocated buffer, causing heap corruption. The buffer_size_in_packets value is derived from the ban_details_records_count configuration parameter, which is parsed using atoi() with no overflow checking.

AnalysisAI

Heap corruption in FastNetMon Community Edition through 1.2.9 allows authenticated local users to trigger an integer overflow in the packet capture buffer allocation routine, resulting in undersized allocations followed by out-of-bounds heap writes during packet storage. The flaw stems from 32-bit unsigned arithmetic in allocate_buffer() in src/packet_storage.hpp, where a sufficiently large ban_details_records_count configuration value causes the memory size calculation to wrap. No public exploit identified at time of analysis and EPSS exploitation probability is negligible at 0.01%.

Technical ContextAI

FastNetMon is an open-source DDoS detection and traffic analysis tool that captures packets into a pre-allocated ring-style buffer for forensic recording when bans are triggered. The vulnerable routine computes memory_size_in_bytes using unsigned 32-bit arithmetic as buffer_size_in_packets * (max_captured_packet_size + sizeof(fastnetmon_pcap_pkthdr_t)) + sizeof(fastnetmon_pcap_file_header_t); with the default 1500-byte capture size plus a 16-byte pcap packet header, each packet consumes ~1516 bytes, so a buffer_size_in_packets value above approximately 2,832,542 wraps the 32-bit product. The buffer_size_in_packets is derived from the ban_details_records_count configuration parameter parsed via atoi(), which performs no range or overflow validation. This maps to CWE-122 (Heap-based Buffer Overflow): the undersized allocation succeeds, then write_packet() iterates assuming the originally-requested size and writes past the heap chunk, corrupting adjacent heap metadata or objects.

RemediationAI

No vendor-released patch identified at time of analysis; the CVE references point to the upstream repository and the Lorikeet Security disclosure at https://lorikeetsecurity.com/blog/fastnetmon-cve-2026-48690-packet-storage-integer-overflow rather than a tagged fix release, so operators should monitor https://github.com/pavel-odintsov/fastnetmon for a release above 1.2.9 and upgrade once published. As an interim compensating control, set ban_details_records_count in fastnetmon.conf to a conservative value well below 2,832,542 (e.g., the default or a few thousand records) - this directly prevents the multiplication from wrapping and has the trade-off of reducing the per-ban packet capture depth used for forensics. Additionally, restrict write access to fastnetmon.conf and the service's configuration management path to root/trusted operators only, since the overflow is reached through the configuration parser; this has minimal operational side effect in typical deployments where only administrators tune the tool.

More in N A

View all
CVE-2026-31072 CRITICAL POC
9.8 May 19

Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali

CVE-2026-36356 CRITICAL POC
9.1 May 05

Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST

CVE-2026-31071 CRITICAL POC
9.1 May 19

Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al

CVE-2025-66391 HIGH POC
8.8 Jun 17

In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o

CVE-2026-26740 HIGH POC
8.2 Mar 18

Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when

CVE-2025-60464 HIGH POC
7.8 Jun 25

Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_

CVE-2026-36355 HIGH POC
7.7 May 05

Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc

CVE-2025-60474 HIGH POC
7.5 Jun 24

Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s

CVE-2026-38639 HIGH POC
7.5 Jun 26

An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S

CVE-2026-38641 HIGH POC
7.5 Jun 26

Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge

CVE-2026-38637 HIGH POC
7.5 Jun 25

An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S

CVE-2026-38640 HIGH POC
7.5 Jun 25

Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce

Share

CVE-2026-48690 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy