CVE-2026-49943
Deferred Deferred - Pending Action
Stack-Based Buffer Overflow in BIRD Internet Routing Daemon

Publication date: 2026-06-02

Last updated on: 2026-06-02

Assigner: MITRE

Description
CZ.NIC BIRD Internet Routing Daemon through 2.19.0 contains a stack-based buffer overflow in the BGP AS_PATH mask matching implementation in nest/a-path.c. The as_path_match() function uses a fixed-size stack array of 2048 + 1 pm_pos entries, while parse_path() expands AS_PATH segments from a received BGP UPDATE without enforcing a corresponding capacity limit. When RFC 8654 BGP Extended Messages are enabled and a BIRD filter evaluates an AS path mask expression such as "bgp_path ~ [= ... =]", an established BGP peer can send a long AS_PATH containing more than 2048 expanded ASNs. This causes parse_path()/as_path_match() to write beyond the fixed stack buffer, resulting in a crash of the daemon. NOTE: reportedly, the Supplier's position is that a fix is not being prioritized because all network operators should already be rejecting routes with unusually long attributes.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-02
Last Modified
2026-06-02
Generated
2026-06-22
AI Q&A
2026-06-02
EPSS Evaluated
2026-06-21
NVD
CVE-2026-49943
EUVD
EUVD-2026-33980
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cz.nic bird to 2.19.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

The primary impact of this vulnerability is a denial of service condition caused by the crash of the BIRD Internet Routing Daemon. An attacker who is an established BGP peer can exploit this by sending specially crafted BGP UPDATE messages with overly long AS_PATH attributes, causing the daemon to overflow its stack buffer and crash. This can disrupt routing services, potentially affecting network stability and availability.

Executive Summary

This vulnerability is a stack-based buffer overflow in the BGP AS_PATH mask matching implementation of the CZ.NIC BIRD Internet Routing Daemon up to version 2.19.0. Specifically, the as_path_match() function uses a fixed-size stack array to process AS_PATH segments, but the parse_path() function can expand AS_PATH segments from a received BGP UPDATE message without enforcing a size limit. When BGP Extended Messages (RFC 8654) are enabled and a BIRD filter evaluates an AS path mask expression, an attacker controlling an established BGP peer can send a long AS_PATH containing more than 2048 expanded ASNs. This causes the daemon to write beyond the fixed stack buffer, leading to a crash.

Detection Guidance

This vulnerability involves a stack-based buffer overflow triggered by receiving a BGP UPDATE with an AS_PATH containing more than 2048 expanded ASNs when BGP Extended Messages are enabled and a BIRD filter evaluates an AS path mask expression.

To detect this vulnerability on your network or system, you should monitor BIRD daemon logs for crashes or abnormal terminations related to BGP AS_PATH processing.

Since the issue arises from unusually long AS_PATH attributes, you can inspect BGP UPDATE messages for AS_PATH segments exceeding typical lengths.

  • Use tcpdump or similar packet capture tools to capture BGP traffic on port 179, for example: tcpdump -i <interface> port 179 -w bgp_capture.pcap
  • Analyze captured BGP UPDATE messages with tools like Wireshark to check for AS_PATH attributes with more than 2048 ASNs.
  • Check BIRD daemon logs for crash reports or stack traces related to as_path_match() or parse_path() functions.

Note that no specific detection commands or scripts are provided in the available resources.

Mitigation Strategies

The vulnerability is caused by BIRD accepting BGP UPDATE messages with unusually long AS_PATH attributes exceeding 2048 ASNs, which leads to a stack-based buffer overflow and daemon crash.

Immediate mitigation steps include configuring your BGP peers or BIRD filters to reject routes with AS_PATH attributes that are unusually long or exceed a safe threshold.

Since the supplier's position is that all network operators should already be rejecting routes with unusually long attributes, enforcing strict route filtering policies is recommended.

  • Implement BGP filter rules in BIRD to limit the maximum length of AS_PATH attributes accepted from peers.
  • Monitor and audit BGP UPDATE messages to ensure no excessively long AS_PATHs are accepted.

No official patch or fix prioritization is indicated, so operational controls and filtering are the primary mitigation.

Compliance Impact

The provided context and resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49943. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart