CVE-2026-37457
Analyzed Analyzed - Analysis Complete
Out-of-Bounds Write in FRRouting bgpd FlowSpec Component

Publication date: 2026-05-01

Last updated on: 2026-05-29

Assigner: MITRE

Description
An off-by-one out-of-bounds write vulnerability in the bgp_flowspec_op_decode() function (bgpd/bgp_flowspec_util.c) of FRRouting (FRR) stable/10.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted FlowSpec component.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-29
Generated
2026-06-16
AI Q&A
2026-05-01
EPSS Evaluated
2026-06-14
NVD
CVE-2026-37457
EUVD
EUVD-2026-26703
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
frrouting frrouting 10.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not include any details about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability is an off-by-one out-of-bounds write in the bgp_flowspec_op_decode() function of the FRRouting (FRR) software. Specifically, it occurs due to an incorrect bounds check on the FlowSpec operator array, which allows writing one element past the end of the array when more than five chained operators are supplied in a FlowSpec component.

This off-by-one error can cause memory corruption or other undefined behavior, which attackers can exploit by supplying a specially crafted FlowSpec component.

Impact Analysis

The primary impact of this vulnerability is that an attacker can cause a Denial of Service (DoS) condition in the FRRouting software by exploiting the off-by-one out-of-bounds write.

This means the affected system running FRRouting could crash or become unstable when processing maliciously crafted FlowSpec components, potentially disrupting network routing services.

Mitigation Strategies

To mitigate this vulnerability, you should update your FRRouting (FRR) software to include the fix that corrects the off-by-one error in the bgp_flowspec_op_decode() function.

The fix involves a patch that changes the loop condition to prevent writing past the end of the mval[] array, which addresses the memory corruption issue caused by crafted FlowSpec components.

Applying the commit with hash 0e6882bc72c0278988a47b2f0f73b7a91099a25c from the FRRouting repository will resolve this vulnerability.

Detection Guidance

This vulnerability involves an off-by-one out-of-bounds write in the bgp_flowspec_op_decode() function of FRRouting's bgpd daemon when processing crafted FlowSpec components.

To detect potential exploitation attempts on your network or system, you can monitor BGP FlowSpec messages for unusually long or malformed FlowSpec components that exceed the expected number of chained operators (more than 5).

While there is no direct command provided in the resources, you can use packet capture tools like tcpdump or Wireshark to capture BGP FlowSpec traffic and analyze the FlowSpec components for abnormal operator counts.

  • Use tcpdump to capture BGP FlowSpec packets on the relevant interface and port (179):
  • tcpdump -i <interface> tcp port 179 -w bgp_flowspec.pcap
  • Analyze the captured packets in Wireshark or with a custom script to inspect FlowSpec components for operator counts exceeding 5.

Additionally, ensure your FRRouting version includes the fix (commit 0e6882bc72c0278988a47b2f0f73b7a91099a25c) to prevent this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-37457. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart