Skip to main content

FRRouting EUVDEUVD-2026-26703

| CVE-2026-37457 HIGH
Out-of-bounds Write (CWE-787)
2026-05-01 mitre
7.5
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

6
Source Code Evidence Fetched
May 01, 2026 - 20:30 vuln.today
Analysis Generated
May 01, 2026 - 20:30 vuln.today
CVSS changed
May 01, 2026 - 19:22 NVD
7.5 (None) 7.5 (HIGH)
EUVD ID Assigned
May 01, 2026 - 18:00 euvd
EUVD-2026-26703
Analysis Generated
May 01, 2026 - 18:00 vuln.today
CVE Published
May 01, 2026 - 00:00 nvd
HIGH 7.5

DescriptionCVE.org

An off-by-one out-of-bounds write vulnerability in the bgp_flowspec_op_decode() function (bgpd/bgp_flowspec_util.c) of FRRouting (FRR) stable/10.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted FlowSpec component.

AnalysisAI

Remote denial of service in FRRouting stable/10.0 allows unauthenticated attackers to crash the BGP daemon via malformed FlowSpec NLRI messages. The off-by-one vulnerability in bgp_flowspec_op_decode() enables out-of-bounds writes when parsing crafted BGP FlowSpec components, causing process termination. EPSS exploitation probability data not available, but SSVC marks this as automatable with partial technical impact. No public exploit code identified at time of analysis, and not listed in CISA KEV, suggesting theoretical rather than actively exploited risk.

Technical ContextAI

FRRouting (FRR) is an open-source IP routing protocol suite supporting BGP, OSPF, ISIS, and other protocols, commonly deployed in Linux-based routers and network infrastructure. BGP FlowSpec (RFC 5575/8955) allows networks to distribute traffic filtering rules via BGP, using network layer reachability information (NLRI) to encode match conditions and actions. The vulnerability resides in bgp_flowspec_op_decode() and bgp_flowspec_bitmask_decode() functions in bgpd/bgp_flowspec_util.c, which parse FlowSpec component operators from incoming BGP UPDATE messages. The root cause is CWE-787 (Out-of-bounds Write), specifically an off-by-one error in loop bounds checking against BGP_PBR_MATCH_VAL_MAX. The code used '>' (greater than) instead of '>=' (greater than or equal), allowing the loop counter to reach exactly BGP_PBR_MATCH_VAL_MAX and write one element beyond the allocated buffer. This off-by-one condition is a classic fencepost error in array boundary validation, where the check permits access to index N when only indices 0 through N-1 are valid.

RemediationAI

Apply the upstream patch from GitHub commit 0e6882bc72c0278988a47b2f0f73b7a91099a25c (https://github.com/FRRouting/frr/commit/0e6882bc72c0278988a47b2f0f73b7a91099a25c), which corrects the off-by-one boundary checks in both bgp_flowspec_op_decode() and bgp_flowspec_bitmask_decode() functions by changing loop termination conditions from 'loop > BGP_PBR_MATCH_VAL_MAX' to 'loop >= BGP_PBR_MATCH_VAL_MAX' and adding early return on boundary violation. Organizations should monitor the FRRouting GitHub releases page and distribution package repositories for an official stable/10.0 point release incorporating this fix. If immediate patching is not feasible, disable BGP FlowSpec capability as a temporary mitigation by removing 'neighbor <peer> flowspec' configuration under the BGP router context, though this eliminates FlowSpec-based DDoS mitigation functionality. Alternatively, implement strict BGP peer authentication and restrict BGP sessions to trusted peers only using TCP MD5 signatures or IPsec transport, reducing the risk of malicious FlowSpec injection - however, this does not eliminate risk from compromised trusted peers. For high-risk deployments, consider moving to alternative routing stacks until a confirmed stable release is available, weighing operational disruption against DoS risk. Route reflectors and route servers should prioritize mitigation due to their central role in BGP topology.

More in N A

View all
CVE-2026-31072 CRITICAL POC
9.8 May 19

Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali

CVE-2026-36356 CRITICAL POC
9.1 May 05

Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST

CVE-2026-31071 CRITICAL POC
9.1 May 19

Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al

CVE-2025-66391 HIGH POC
8.8 Jun 17

In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o

CVE-2026-26740 HIGH POC
8.2 Mar 18

Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when

CVE-2025-60464 HIGH POC
7.8 Jun 25

Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_

CVE-2026-36355 HIGH POC
7.7 May 05

Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc

CVE-2025-60474 HIGH POC
7.5 Jun 24

Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s

CVE-2026-38639 HIGH POC
7.5 Jun 26

An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S

CVE-2026-38641 HIGH POC
7.5 Jun 26

Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge

CVE-2026-38637 HIGH POC
7.5 Jun 25

An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S

CVE-2026-38640 HIGH POC
7.5 Jun 25

Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed
SUSE Linux Enterprise Server 16.0 Fixed
SUSE Linux Enterprise Server 16.1 Fixed

Share

EUVD-2026-26703 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy