Executive Summary

CVE-2026-5107 is a vulnerability in FRRouting's FRR software up to version 10.5.1, specifically in the EVPN Type-2 Route Handler function process_type2_route within the bgpd/bgp_evpn.c file.

The vulnerability arises from improper access controls due to insufficient validation of packet sizes and internal IP address length fields when processing EVPN Type-2 routes. This can allow malformed or inconsistent packets to be processed, potentially leading to memory safety issues.

The attack can be initiated remotely but is considered to have high complexity and difficult exploitability.

The vulnerability is addressed by adding strict cross-validation checks between the packet size and the internal IP address length, ensuring only correctly formed packets are processed. Additional validations are also applied to EVPN Type-3 and Type-4 routes and ENCAP/VNC sub-TLVs to prevent processing of malformed packets.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing an attacker to send malformed EVPN Type-2 route packets that bypass proper validation, potentially causing improper access control within the FRRouting BGP daemon.

While the exploitability is difficult and the attack complexity is high, successful exploitation could lead to memory safety issues such as out-of-bounds reads or zero-byte memory allocations, which might cause crashes or unexpected behavior in the routing software.

Such issues could disrupt network routing operations, degrade service availability, or potentially be leveraged for further attacks depending on the environment.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability relates to improper packet parsing and validation in FRRouting's BGP daemon (bgpd), specifically in EVPN Type-2, Type-3, and Type-4 route processing and ENCAP/VNC sub-TLV handling. Detection involves monitoring for malformed or inconsistent EVPN route packets that violate expected packet size and IP address length constraints.

To detect potential exploitation attempts or malformed packets, you can enable detailed logging on the FRRouting bgpd daemon to capture errors related to EVPN route processing. The patched code logs errors with the code EC_BGP_EVPN_ROUTE_INVALID including VRF ID, peer host, and invalid IP length when malformed packets are detected.

While no specific commands are provided in the resources, general suggestions include:

• Enable verbose or debug logging in FRRouting's bgpd to capture EVPN route parsing errors.
• Use packet capture tools (e.g., tcpdump or Wireshark) to monitor BGP EVPN traffic and analyze packets for abnormal sizes or malformed IP address lengths.
• Check FRRouting logs for entries indicating rejected EVPN Type-2, Type-3, or Type-4 routes or ENCAP/VNC sub-TLVs due to invalid length or format.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to deploy the patch identified by commit 7676cad65114aa23adde583d91d9d29e2debd045, which improves packet parsing and validation in FRRouting's bgpd component to prevent processing of malformed EVPN route packets and ENCAP/VNC sub-TLVs.

Additional immediate steps include:

• Update FRRouting to version 10.6 or later where the patch has been backported and merged.
• Enable strict input validation and logging to detect and reject malformed EVPN packets.
• Monitor network traffic for suspicious EVPN route packets and block or isolate sources of malformed packets if detected.

Useful 0 Not Useful 0

Compliance Impact

The provided information about CVE-2026-5107 does not include any details on how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0