CVE-2026-37457
Modified Modified - Updated After Analysis

Out-of-Bounds Write in FRRouting bgpd FlowSpec Component

Vulnerability report for CVE-2026-37457, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-01

Last updated on: 2026-06-30

Assigner: MITRE

Description

An off-by-one out-of-bounds write vulnerability in the bgp_flowspec_op_decode() function (bgpd/bgp_flowspec_util.c) of FRRouting (FRR) stable/10.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted FlowSpec component.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-01
Last Modified
2026-06-30
Generated
2026-07-06
AI Q&A
2026-05-01
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
frrouting frrouting 10.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is an off-by-one out-of-bounds write in the bgp_flowspec_op_decode() function of the FRRouting (FRR) software. Specifically, it occurs due to an incorrect bounds check on the FlowSpec operator array, which allows writing one element past the end of the array when more than five chained operators are supplied in a FlowSpec component.

This off-by-one error can cause memory corruption or other undefined behavior, which attackers can exploit by supplying a specially crafted FlowSpec component.

Impact Analysis

The primary impact of this vulnerability is that an attacker can cause a Denial of Service (DoS) condition in the FRRouting software by exploiting the off-by-one out-of-bounds write.

This means the affected system running FRRouting could crash or become unstable when processing maliciously crafted FlowSpec components, potentially disrupting network routing services.

Mitigation Strategies

To mitigate this vulnerability, you should update your FRRouting (FRR) software to include the fix that corrects the off-by-one error in the bgp_flowspec_op_decode() function.

The fix involves a patch that changes the loop condition to prevent writing past the end of the mval[] array, which addresses the memory corruption issue caused by crafted FlowSpec components.

Applying the commit with hash 0e6882bc72c0278988a47b2f0f73b7a91099a25c from the FRRouting repository will resolve this vulnerability.

Detection Guidance

This vulnerability involves an off-by-one out-of-bounds write in the bgp_flowspec_op_decode() function of FRRouting's bgpd daemon when processing crafted FlowSpec components.

To detect potential exploitation attempts on your network or system, you can monitor BGP FlowSpec messages for unusually long or malformed FlowSpec components that exceed the expected number of chained operators (more than 5).

While there is no direct command provided in the resources, you can use packet capture tools like tcpdump or Wireshark to capture BGP FlowSpec traffic and analyze the FlowSpec components for abnormal operator counts.

  • Use tcpdump to capture BGP FlowSpec packets on the relevant interface and port (179):
  • tcpdump -i <interface> tcp port 179 -w bgp_flowspec.pcap
  • Analyze the captured packets in Wireshark or with a custom script to inspect FlowSpec components for operator counts exceeding 5.

Additionally, ensure your FRRouting version includes the fix (commit 0e6882bc72c0278988a47b2f0f73b7a91099a25c) to prevent this vulnerability.

Compliance Impact

The provided information does not include any details about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-37457. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart