CVE-2026-49943
Stack-Based Buffer Overflow in BIRD Internet Routing Daemon
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cz.nic | bird | to 2.19.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
The primary impact of this vulnerability is a denial of service condition caused by the crash of the BIRD Internet Routing Daemon. An attacker who is an established BGP peer can exploit this by sending specially crafted BGP UPDATE messages with overly long AS_PATH attributes, causing the daemon to overflow its stack buffer and crash. This can disrupt routing services, potentially affecting network stability and availability.
Can you explain this vulnerability to me?
This vulnerability is a stack-based buffer overflow in the BGP AS_PATH mask matching implementation of the CZ.NIC BIRD Internet Routing Daemon up to version 2.19.0. Specifically, the as_path_match() function uses a fixed-size stack array to process AS_PATH segments, but the parse_path() function can expand AS_PATH segments from a received BGP UPDATE message without enforcing a size limit. When BGP Extended Messages (RFC 8654) are enabled and a BIRD filter evaluates an AS path mask expression, an attacker controlling an established BGP peer can send a long AS_PATH containing more than 2048 expanded ASNs. This causes the daemon to write beyond the fixed stack buffer, leading to a crash.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a stack-based buffer overflow triggered by receiving a BGP UPDATE with an AS_PATH containing more than 2048 expanded ASNs when BGP Extended Messages are enabled and a BIRD filter evaluates an AS path mask expression.
To detect this vulnerability on your network or system, you should monitor BIRD daemon logs for crashes or abnormal terminations related to BGP AS_PATH processing.
Since the issue arises from unusually long AS_PATH attributes, you can inspect BGP UPDATE messages for AS_PATH segments exceeding typical lengths.
- Use tcpdump or similar packet capture tools to capture BGP traffic on port 179, for example: tcpdump -i <interface> port 179 -w bgp_capture.pcap
- Analyze captured BGP UPDATE messages with tools like Wireshark to check for AS_PATH attributes with more than 2048 ASNs.
- Check BIRD daemon logs for crash reports or stack traces related to as_path_match() or parse_path() functions.
Note that no specific detection commands or scripts are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is caused by BIRD accepting BGP UPDATE messages with unusually long AS_PATH attributes exceeding 2048 ASNs, which leads to a stack-based buffer overflow and daemon crash.
Immediate mitigation steps include configuring your BGP peers or BIRD filters to reject routes with AS_PATH attributes that are unusually long or exceed a safe threshold.
Since the supplier's position is that all network operators should already be rejecting routes with unusually long attributes, enforcing strict route filtering policies is recommended.
- Implement BGP filter rules in BIRD to limit the maximum length of AS_PATH attributes accepted from peers.
- Monitor and audit BGP UPDATE messages to ensure no excessively long AS_PATHs are accepted.
No official patch or fix prioritization is indicated, so operational controls and filtering are the primary mitigation.