CVE-2026-28532
Integer Overflow in FRRouting OSPF LSA Parser
Publication date: 2026-04-30
Last updated on: 2026-05-01
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| frrouting | frrouting | to 10.5.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
| CWE-190 | The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in FRRouting versions before 10.5.3 and involves an integer overflow in seven OSPF Traffic Engineering and Segment Routing TLV parser functions. Specifically, a 16-bit unsigned integer accumulator variable truncates 32-bit values returned by the TLV_SIZE() macro. This truncation causes the loop termination condition to fail, while pointer advancement continues unchecked. As a result, attackers who have an established OSPF adjacency can send a specially crafted LS Update packet containing a malicious Type 10 or Type 11 Opaque LSA, which triggers out-of-bounds memory reads and causes all affected routers in the OSPF area or autonomous system to crash.
How can this vulnerability impact me? :
The vulnerability can cause routers running affected versions of FRRouting to crash due to out-of-bounds memory reads triggered by malicious LS Update packets. This can lead to denial of service within the OSPF area or autonomous system, potentially disrupting network routing and connectivity.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided context and resources do not include any information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves crafted LS Update packets with malicious Type 10 or Type 11 Opaque LSAs sent by attackers with an established OSPF adjacency. Detection can focus on monitoring OSPF traffic for unusual or malformed LS Update packets, especially those containing Type 10 or Type 11 Opaque LSAs.
Network administrators can use packet capture tools such as tcpdump or Wireshark to inspect OSPF LSAs for anomalies. For example, the following command captures OSPF packets on an interface:
- tcpdump -i <interface> -nn -s 0 -v proto ospf
Further filtering can be applied to look for LS Update packets or specific Opaque LSA types (Type 10 or 11). Additionally, monitoring router logs for crashes or abnormal restarts related to OSPF processes can indicate exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade FRRouting to version 10.5.3 or later, where this integer overflow vulnerability in the OSPF TLV parser functions has been fixed.
The fix involves changes to the TLV parsing logic that prevent integer overflow and out-of-bounds memory reads, thus protecting routers from crashes caused by malicious LS Update packets.
Until the upgrade can be applied, network operators should consider restricting OSPF adjacencies to trusted devices only, monitoring OSPF traffic for suspicious LSAs, and applying any available vendor-specific workarounds or filters to block malformed Opaque LSAs.