Skip to main content

FRRouting EUVDEUVD-2026-26418

| CVE-2026-28532 MEDIUM
Integer Overflow or Wraparound (CWE-190)
2026-04-30 VulnCheck
6.0
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.0 MEDIUM
CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
6.5 MEDIUM
AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
6.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
CVSS changed
Apr 30, 2026 - 21:22 NVD
6.5 (MEDIUM) 6.0 (MEDIUM)
Source Code Evidence Fetched
Apr 30, 2026 - 20:45 vuln.today
Analysis Generated
Apr 30, 2026 - 20:45 vuln.today
EUVD ID Assigned
Apr 30, 2026 - 20:30 euvd
EUVD-2026-26418
Analysis Generated
Apr 30, 2026 - 20:30 vuln.today
Patch released
Apr 30, 2026 - 20:30 nvd
Patch available
CVE Published
Apr 30, 2026 - 20:17 nvd
MEDIUM 6.0

DescriptionCVE.org

FRRouting before 10.5.3 contains an integer overflow vulnerability in seven OSPF Traffic Engineering and Segment Routing TLV parser functions where a uint16_t accumulator variable truncates uint32_t values returned by the TLV_SIZE() macro, causing the loop termination condition to fail while pointer advancement continues unchecked. Attackers with an established OSPF adjacency can send a crafted LS Update packet with a malicious Type 10 or Type 11 Opaque LSA to trigger out-of-bounds memory reads and crash all affected routers in the OSPF area or autonomous system.

AnalysisAI

FRRouting before version 10.5.3 contains an integer overflow vulnerability in OSPF Traffic Engineering and Segment Routing TLV parser functions that allows attackers with an established OSPF adjacency to send a malicious Type 10 or Type 11 Opaque LSA and trigger out-of-bounds memory reads, crashing all affected routers in the OSPF area. The vulnerability results from a uint16_t accumulator variable truncating uint32_t values returned by the TLV_SIZE() macro, causing the loop termination condition to fail while pointer advancement continues unchecked. This is a denial-of-service attack requiring OSPF neighbor status but no user interaction or additional privileges.

Technical ContextAI

FRRouting is an open-source routing software suite implementing OSPF and other routing protocols. The vulnerability exists in the OSPF Traffic Engineering (TE) and Segment Routing (SR) TLV (Type-Length-Value) parser functions. The root cause is an integer overflow (CWE-190) where a uint16_t accumulator variable is used to track the cumulative size of parsed TLV sub-objects within a larger LSA payload. The TLV_SIZE() macro returns a uint32_t value, but when assigned to the uint16_t accumulator, it silently truncates on overflow. This causes the loop condition checking if the accumulator has reached the expected TLV block size to exit prematurely while the pointer continues to advance into adjacent memory regions. Type 10 and Type 11 Opaque LSAs carry TE and SR extensions respectively, making them the attack vectors. Affected OSPF implementations parse these LSAs from trusted OSPF neighbors; the vulnerability triggers when a neighbor with established adjacency sends a crafted LSA with malicious sub-TLV lengths.

RemediationAI

Upgrade FRRouting to version 10.5.3 or later, which includes the hardened TE/SR TLV iteration fix (commit f098decf02987fbf1c891766c1516ac832adadfd from PR #21002). The patch modifies the TLV parser to correctly validate sub-TLV lengths and prevent the integer overflow truncation. For distributions, update via package manager (Debian: apt-get install frr=10.5.3-*, RPM: rpm -Uvh frr-10.5.3-*, Docker: pull the latest tag from quay.io/frrouting/frr, Snap: snap refresh frr). If immediate upgrade is not feasible, implement network-level mitigations: restrict OSPF adjacency formation to trusted routers only by enforcing OSPF authentication (MD5 or HMAC-SHA256 via neighbor X.X.X.X password) and using prefix lists and distribute-lists to filter untrusted LSA origins. Disable OSPF TE/SR extensions if not required by the network (commands: no mpls-te on and no segment-routing on in OSPF context), which eliminates the vulnerable code path but sacrifices Traffic Engineering and Segment Routing capabilities. Monitor OSPF adjacency changes and LSA updates for anomalies; log and alert on Type 10/11 Opaque LSAs from unexpected sources. These workarounds trade operational feature loss against immediate crash protection while patches are tested and deployed.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed
SUSE Linux Enterprise Server 16.0 Fixed
SUSE Linux Enterprise Server 16.1 Fixed

Share

EUVD-2026-26418 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy