Skip to main content

BIRD Routing Daemon CVE-2026-49943

| EUVDEUVD-2026-33980 MEDIUM
Stack-based Buffer Overflow (CWE-121)
2026-06-02 mitre GHSA-64c8-8qx9-25r7
6.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.3 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 02, 2026 - 17:32 vuln.today

DescriptionCVE.org

CZ.NIC BIRD Internet Routing Daemon through 2.19.0 contains a stack-based buffer overflow in the BGP AS_PATH mask matching implementation in nest/a-path.c. The as_path_match() function uses a fixed-size stack array of 2048 + 1 pm_pos entries, while parse_path() expands AS_PATH segments from a received BGP UPDATE without enforcing a corresponding capacity limit. When RFC 8654 BGP Extended Messages are enabled and a BIRD filter evaluates an AS path mask expression such as "bgp_path ~ [= ... =]", an established BGP peer can send a long AS_PATH containing more than 2048 expanded ASNs. This causes parse_path()/as_path_match() to write beyond the fixed stack buffer, resulting in a crash of the daemon. NOTE: reportedly, the Supplier's position is that a fix is not being prioritized because all network operators should already be rejecting routes with unusually long attributes.

AnalysisAI

Stack-based buffer overflow in CZ.NIC BIRD Internet Routing Daemon through 2.19.0 allows an established BGP peer to crash the daemon by sending a crafted AS_PATH exceeding 2048 expanded ASNs when RFC 8654 Extended Messages are enabled and an AS path mask filter is active. The as_path_match() function in nest/a-path.c uses a fixed 2049-entry stack array while parse_path() expands AS_PATH segments without enforcing a corresponding capacity limit, causing a write beyond the stack buffer boundary and a daemon crash. No public exploit identified at time of analysis; notably, the vendor has explicitly declined to prioritize a fix, instead citing operator best-practice filtering as the expected mitigation.

Technical ContextAI

BIRD's BGP implementation processes AS_PATH attributes via parse_path() and as_path_match() in nest/a-path.c. The as_path_match() function allocates a fixed-size stack array of 2049 pm_pos entries for mask pattern matching. RFC 8654 (BGP Extended Messages, RFC 8654) lifts the 4096-byte BGP UPDATE size cap, enabling AS_PATH attributes long enough to carry more than 2048 individual ASNs after segment expansion. Because parse_path() expands these segments without enforcing a bound against the fixed 2049-entry stack array, any expansion exceeding that limit overwrites adjacent stack frames. CWE-121 (Stack-based Buffer Overflow) identifies the root cause: a statically-sized stack allocation paired with unbounded input-driven expansion. The CPE cpe:2.3:a:nic:bird:*:*:*:*:*:*:*:* covers all versioned releases of the BIRD daemon, with the upper bound confirmed at 2.19.0. The CVSS scope change (S:C) reflects that a BIRD crash disrupts all routing sessions and dependent forwarding plane state managed by that daemon instance.

RemediationAI

No vendor-released patch identified at time of analysis - the supplier has explicitly stated that a fix is not being prioritized, citing the expectation that network operators already reject routes with abnormally long AS_PATH attributes as standard BGP hygiene. Three specific compensating controls map directly to the three exploitation prerequisites: first, disable RFC 8654 BGP Extended Messages on BIRD instances where extended message support is not operationally required, which eliminates the ability to receive UPDATE messages long enough to trigger the overflow (trade-off: removes support for legitimate long BGP messages); second, remove or rewrite AS path mask filter expressions (bgp_path ~ [= ... =]) from BIRD configurations where feasible, which removes the code path invoking as_path_match() entirely (trade-off: loses AS path pattern matching capability); third, enforce strict inbound BGP route policy on all peer sessions - at the upstream router, edge filter, or RPKI/IRR layer - to reject UPDATE messages whose AS_PATH contains more than a safe threshold of ASNs (e.g., 200-400 ASNs is a common operational ceiling). This last control is the vendor's recommended mitigation and has no significant operational downside for well-maintained networks. Monitor the NEWS file at https://gitlab.nic.cz/labs/bird/-/blob/master/NEWS for any future patch release.

Vendor StatusVendor

SUSE

Severity: Medium

Share

CVE-2026-49943 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy