Executive Summary

CVE-2026-48715 is a stack-based buffer overflow vulnerability in the radvdump utility, which is part of the radvd package used for IPv6 router advertisements. The issue exists in the Route Information option parser where the function print_ff() copies up to 2032 bytes from attacker-controlled packet data into a 16-byte structure on the stack, causing an overflow of up to 2016 bytes. This happens because the code does not properly validate the length field of the Route Information option, allowing values beyond the limits specified by RFC4191.

The vulnerability only affects radvdump and not the main radvd daemon. Exploitation requires the attacker to be on the same network segment (network adjacency) and to send a specially crafted ICMPv6 Router Advertisement packet. The vulnerability has been fixed in radvdump version 2.21 by adding strict validation of the length field and other security hardening measures.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have a high impact on the affected system's confidentiality, integrity, and availability. Because it is a stack buffer overflow, a successful exploit could allow an attacker to execute arbitrary code remotely on the system running radvdump.

The attack vector is limited to network adjacency, meaning the attacker must be on the same local network segment and send a crafted ICMPv6 Router Advertisement packet to trigger the overflow. If exploited, this could lead to remote code execution, potentially compromising the system.

Useful 0 Not Useful 0

Detection Guidance

The vulnerability exists in the radvdump utility when processing crafted ICMPv6 Router Advertisement packets containing malformed Route Information options. Detection involves monitoring for suspicious or malformed ICMPv6 Router Advertisement packets on your network, especially those targeting the radvdump utility.

Since the vulnerability is triggered by crafted packets with invalid nd_opt_ri_len values exceeding RFC4191 limits, you can use packet capture tools like tcpdump or Wireshark to filter and analyze ICMPv6 Router Advertisement traffic for anomalies.

• Use tcpdump to capture ICMPv6 Router Advertisement packets: tcpdump -i <interface> icmp6 and ip6[40] == 134
• Analyze captured packets with Wireshark to inspect Route Information options for invalid length fields.

Additionally, check if the radvdump utility is running on your system, as the main radvd daemon is not affected.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade the radvdump utility to version 2.21 or later, where the vulnerability has been patched.

The patch includes strict validation of the Route Information option length field, improved buffer handling, and dropping root privileges to reduce risk.

• Update radvdump to version 2.21 or newer.
• If upgrading immediately is not possible, restrict access to the radvdump utility and monitor for suspicious ICMPv6 Router Advertisement traffic.
• Consider running radvdump with reduced privileges using the new '-u' option to specify a non-root user.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in radvdump allows for a stack-based buffer overflow that can lead to remote code execution, impacting confidentiality, integrity, and availability of affected systems.

Such impacts on confidentiality and integrity could potentially affect compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and system integrity.

However, the provided information does not explicitly discuss compliance implications or how this vulnerability directly relates to regulatory requirements.

Useful 0 Not Useful 0