CVE-2026-37457
Out-of-Bounds Write in FRRouting bgpd FlowSpec Component
Publication date: 2026-05-01
Last updated on: 2026-05-01
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| frrouting | frr | 10.0 |
| frrouting | frr | to 10.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an off-by-one out-of-bounds write in the bgp_flowspec_op_decode() function of the FRRouting (FRR) software. Specifically, it occurs due to an incorrect bounds check on the FlowSpec operator array, which allows writing one element past the end of the array when more than five chained operators are supplied in a FlowSpec component.
This off-by-one error can cause memory corruption or other undefined behavior, which attackers can exploit by supplying a specially crafted FlowSpec component.
How can this vulnerability impact me? :
The primary impact of this vulnerability is that an attacker can cause a Denial of Service (DoS) condition in the FRRouting software by exploiting the off-by-one out-of-bounds write.
This means the affected system running FRRouting could crash or become unstable when processing maliciously crafted FlowSpec components, potentially disrupting network routing services.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update your FRRouting (FRR) software to include the fix that corrects the off-by-one error in the bgp_flowspec_op_decode() function.
The fix involves a patch that changes the loop condition to prevent writing past the end of the mval[] array, which addresses the memory corruption issue caused by crafted FlowSpec components.
Applying the commit with hash 0e6882bc72c0278988a47b2f0f73b7a91099a25c from the FRRouting repository will resolve this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not include any details about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves an off-by-one out-of-bounds write in the bgp_flowspec_op_decode() function of FRRouting's bgpd daemon when processing crafted FlowSpec components.
To detect potential exploitation attempts on your network or system, you can monitor BGP FlowSpec messages for unusually long or malformed FlowSpec components that exceed the expected number of chained operators (more than 5).
While there is no direct command provided in the resources, you can use packet capture tools like tcpdump or Wireshark to capture BGP FlowSpec traffic and analyze the FlowSpec components for abnormal operator counts.
- Use tcpdump to capture BGP FlowSpec packets on the relevant interface and port (179):
- tcpdump -i <interface> tcp port 179 -w bgp_flowspec.pcap
- Analyze the captured packets in Wireshark or with a custom script to inspect FlowSpec components for operator counts exceeding 5.
Additionally, ensure your FRRouting version includes the fix (commit 0e6882bc72c0278988a47b2f0f73b7a91099a25c) to prevent this vulnerability.