Skip to main content

FRRouting (FRR) EUVDEUVD-2026-26977

| CVE-2026-37458 MEDIUM
Improper Input Validation (CWE-20)
2026-05-04 mitre
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
6.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Source Code Evidence Fetched
May 05, 2026 - 16:22 vuln.today
Analysis Generated
May 05, 2026 - 16:22 vuln.today
CVSS changed
May 05, 2026 - 16:22 NVD
6.5 (MEDIUM)
EUVD ID Assigned
May 04, 2026 - 16:00 euvd
EUVD-2026-26977
CVE Published
May 04, 2026 - 00:00 nvd
N/A

DescriptionCVE.org

Missing input validation in the MP_REACH_NLRI component of FRRouting (FRR) stable/10.0 to stable/10.6 allows authenticated attackers to cause a Denial of Service (DoS) via supplying a crafted UPDATE message.

AnalysisAI

Missing input validation in FRRouting stable/10.0 through 10.6 allows authenticated BGP peers to trigger a Denial of Service by sending a crafted UPDATE message with invalid martian addresses in the MP_REACH_NLRI component. An authenticated attacker can crash or severely degrade the BGP routing daemon by exploiting insufficient validation of next-hop addresses, with an EPSS score of 0.02% indicating low real-world exploitation probability despite moderate CVSS scoring.

Technical ContextAI

FRRouting is an open-source IP routing protocol suite. The vulnerability exists in the BGP (Border Gateway Protocol) attribute parser, specifically in the MP_REACH_NLRI (Multiprotocol Reachable NLRI) handling code within bgpd/bgp_attr.c. The MP_REACH_NLRI is a BGP UPDATE message component used to advertise reachable network layer reachability information in multiprotocol extensions. The root cause is CWE-20 (Improper Input Validation) - the parser fails to validate whether the next-hop address is a martian address (reserved, bogus, or otherwise invalid for routing). The fix adds a check using ipv4_martian() to detect invalid addresses and withdraw the route when a martian nexthop is encountered, mirroring validation already applied to the NEXT_HOP attribute. This is a logic flaw in protocol parsing that allows a malformed but syntactically valid BGP message to reach unsafe downstream processing.

RemediationAI

Upgrade FRRouting to a version after stable/10.6 or apply the upstream commit 8102a8aeceb9f86fdfe1f80cd77080522bab69c8 directly to your installation. The patch adds validation of next-hop addresses in the MP_REACH_NLRI parser to reject martian (reserved) IPv4 addresses unless explicitly allowed via the bgp allow-martian configuration directive. For operators unable to patch immediately, implement compensating controls: restrict BGP peers to trusted route originator networks only, enforce strict ingress route filtering (IRR-based prefix lists) to block advertisements from unauthorized ASNs, and configure BGP route dampening to limit the impact of rapid route withdrawals. Monitor BGP route updates for unexpected martian addresses using syslog inspection (look for 'sent martian nexthop' warnings) and alert on BGP session flaps. These controls reduce but do not eliminate the risk; patching is strongly preferred.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed
SUSE Linux Enterprise Server 16.0 Fixed

Share

EUVD-2026-26977 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy