Skip to main content

FastNetMon EUVDEUVD-2026-31898

| CVE-2026-48691 CRITICAL
Integer Overflow or Wraparound (CWE-190)
2026-05-26 mitre GHSA-pjmc-gjwh-qr2w
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
May 27, 2026 - 19:39 vuln.today
CVSS changed
May 27, 2026 - 19:37 NVD
9.8 (CRITICAL)
CVE Published
May 26, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

FastNetMon Community Edition through 1.2.9 contains an integer overflow in the BGP AS_PATH attribute encoder. In src/bgp_protocol.hpp, the IPv4UnicastAnnounce::get_attributes() function computes attribute_length as 'sizeof(bgp_as_path_segment_element_t) + this->as_path_asns.size() * sizeof(uint32_t)' and stores it in a uint8_t field (line 600-605). Since uint8_t can only hold values 0-255, an AS_PATH containing more than 63 ASNs (2 + 64*4 = 258 > 255) causes silent truncation. The truncated length is used for buffer sizing, while the actual data written is the full untruncated amount, resulting in a heap buffer overflow. Similarly, the path_segment_length field at line 621 is also uint8_t, truncating with more than 255 ASNs.

AnalysisAI

Heap buffer overflow in FastNetMon Community Edition through 1.2.9 originates from a CWE-190 integer overflow in the BGP AS_PATH attribute encoder (IPv4UnicastAnnounce::get_attributes() in src/bgp_protocol.hpp). When an AS_PATH carries more than 63 ASNs, the computed attribute length is silently truncated into a uint8_t field used for buffer sizing while the full data is still written, corrupting the heap. The CVSS 9.8 score implies remote unauthenticated code execution, though the flaw lives in FastNetMon's outbound BGP announcement encoder; no public exploit is identified at time of analysis and no EPSS or KEV data was supplied.

Technical ContextAI

FastNetMon is a DDoS detection and mitigation platform that peers over BGP to announce blackhole and Flow Spec routes to upstream routers, so it must serialize BGP UPDATE messages including the AS_PATH path attribute. The defect (CWE-190, Integer Overflow or Wraparound) is in IPv4UnicastAnnounce::get_attributes() at src/bgp_protocol.hpp lines ~600-605, where attribute_length is computed as 'sizeof(bgp_as_path_segment_element_t) + this->as_path_asns.size() * sizeof(uint32_t)' and stored in a uint8_t. Because uint8_t holds only 0-255, an AS_PATH with more than 63 four-byte ASNs (2 + 64*4 = 258 > 255) wraps around; the truncated value drives buffer allocation while the encoder writes the full untruncated byte count, producing a heap overflow. A second uint8_t field, path_segment_length at line 621, truncates similarly once the AS_PATH exceeds 255 ASNs. The supplied CPE (cpe:2.3:a:n/a:n/a:*) is a placeholder and provides no precise product/vendor mapping.

RemediationAI

No vendor-released patch version is identified in the supplied data, and the references point to the upstream repository and source file rather than a tagged fixed release, so confirm a fixed build directly with the maintainer at https://github.com/pavel-odintsov/fastnetmon before deploying. As compensating controls until a patched version is confirmed, change the truncating uint8_t length fields (attribute_length around lines 600-605 and path_segment_length at line 621 in src/bgp_protocol.hpp) to a wider type or add an explicit guard rejecting any AS_PATH with more than 63 ASNs before encoding (trade-off: announcements with very long paths would be dropped rather than sent); and constrain FastNetMon's BGP configuration so it only peers with and accepts AS_PATH inputs from trusted upstream/route-server sources, reducing the chance that an oversized AS_PATH reaches the encoder (trade-off: tighter peering policy and possible operational overhead). Track CVE-2026-48691 / EUVD-2026-31898 via https://nvd.nist.gov/vuln/detail/CVE-2026-48691 for the official fixed version.

Share

EUVD-2026-31898 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy