Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
FastNetMon Community Edition through 1.2.9 has out-of-bounds memory access because it incorrectly parses BGP path attributes with the extended length flag set. In src/bgp_protocol.hpp, the parse_raw_bgp_attribute() function correctly identifies when extended_length_bit is set and sets length_of_length_field to 2, but then reads only a single byte for the attribute value length (attribute_value_length = value[2] at line 173). Per RFC 4271 Section 4.3, when the Extended Length bit is set, the Attribute Length field is two octets and the value should be read as a 16-bit big-endian integer from value[2] and value[3]. As a result, any attribute longer than 255 bytes has its length silently truncated to the low byte (e.g., 300 bytes = 0x012C is read as 0x2C = 44 bytes). The remaining 256 bytes are then misinterpreted as subsequent attributes, causing cascading parse failures and potential out-of-bounds memory access.
AnalysisAI
Out-of-bounds memory access in FastNetMon Community Edition through 1.2.9 allows an authenticated BGP peer to crash the monitoring process by sending a crafted UPDATE message. The parser in src/bgp_protocol.hpp correctly detects the RFC 4271 Extended Length flag but reads only one byte of the mandatory two-byte length field, silently truncating attribute lengths above 255 bytes and causing cascading misparse of subsequent BGP data. With CVSS availability impact rated High and SSVC confirming no known active exploitation, this is a targeted denial-of-service risk primarily affecting network operators using FastNetMon for DDoS detection - no public exploit code identified at time of analysis.
Technical ContextAI
FastNetMon is an open-source DDoS detection platform that ingests and parses BGP routing data to identify anomalous traffic. The flaw lives in src/bgp_protocol.hpp within the parse_raw_bgp_attribute() function. RFC 4271 Section 4.3 specifies that when the Extended Length bit (bit 4 of the attribute flags octet) is set in a BGP UPDATE path attribute, the Attribute Length field is two octets and must be interpreted as a 16-bit big-endian integer. The code sets length_of_length_field = 2 correctly upon detecting the flag, but then reads attribute_value_length = value[2] - a single byte - instead of combining value[2] and value[3] into a 16-bit value. For any attribute whose true length exceeds 255 bytes (e.g., 0x012C = 300), the high byte is silently discarded, yielding 0x2C = 44. The 256-byte gap between the actual and parsed length is then fed back into the attribute parser as if it were new attribute data, causing cascading parse failures and potential out-of-bounds memory access into adjacent heap regions. CWE-130 (Improper Handling of Length Parameter Inconsistency) precisely characterizes this root cause: the software encodes a length field in a two-byte format per the protocol specification but reads it as a one-byte value, creating an inconsistency the attacker can control.
RemediationAI
No vendor-released patch has been identified at time of analysis. The targeted code fix requires modifying parse_raw_bgp_attribute() in src/bgp_protocol.hpp at approximately line 173 to replace the single-byte read with a proper RFC 4271-compliant two-byte big-endian read: when extended_length_bit is set, attribute_value_length should be computed as (static_cast<uint16_t>(value[2]) << 8) | value[3] rather than reading value[2] alone. Operators should monitor the FastNetMon GitHub repository (https://github.com/pavel-odintsov/fastnetmon) and the VulDB advisory (https://vuldb.com/vuln/365664) for an official patched release. As a compensating control, restrict BGP peering to explicitly trusted, authenticated peers using TCP MD5 signatures or BGP session authentication - since PR:L requires an established peer session, reducing the set of authorized peers directly reduces attack surface, though it does not eliminate the vulnerability if a trusted peer is compromised or misconfigured. Consider also placing FastNetMon behind a BGP route reflector that strips non-standard extended attributes before forwarding to FastNetMon, though this may suppress legitimate large attributes and affect detection fidelity. No patch version is available to cite from the provided data.
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali
Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST
Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o
Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when
Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_
Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s
An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce
Same technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31841
GHSA-4h2g-xxvj-v3w5