Description
FRRouting before 10.5.3 contains an integer overflow vulnerability in seven OSPF Traffic Engineering and Segment Routing TLV parser functions where a uint16_t accumulator variable truncates uint32_t values returned by the TLV_SIZE() macro, causing the loop termination condition to fail while pointer advancement continues unchecked. Attackers with an established OSPF adjacency can send a crafted LS Update packet with a malicious Type 10 or Type 11 Opaque LSA to trigger out-of-bounds memory reads and crash all affected routers in the OSPF area or autonomous system.
Published: 2026-04-30
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

FRRouting before version 10.5.3 contains an integer overflow in several OSPF Traffic Engineering and Segment Routing TLV parser functions. The overflow occurs when a 32‑bit size value returned by the TLV_SIZE() macro is stored in a 16‑bit accumulator, causing the loop termination condition to fail while pointer advancement continues unchecked. This out‑of‑bounds memory read can crash all routers that are part of the same OSPF area or autonomous system, resulting in a denial of service that affects routing for that entire network segment.

Affected Systems

The vulnerability affects all installations of the FRRouting software named frr that are running a version older than 10.5.3. No specific patch level is listed for earlier minor releases, so any deployment older than 10.5.3 is potentially exposed.

Risk and Exploitability

The CVSS score of 6.0 characterizes this vulnerability as a moderate risk. The EPSS value is not available, suggesting that no recent exploitation metrics are reported, but the lack of a KEV listing does not preclude exploitation. Exploitation requires an attacker to have an established OSPF adjacency with the target router, after which a crafted LS Update packet containing a malicious Type 10 or 11 opaque LSA can trigger the overflow. The attack is local to the OSPF peer relationship and does not rely on external remote access, so it is not a typical internet‑wide vulnerability, but it can still cause disruptive denial of service within an OSPF domain.

Generated by OpenCVE AI on May 1, 2026 at 04:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to FRRouting 10.5.3 or later to eliminate the integer overflow in the OSPF TLV parsers.
  • If an immediate upgrade is not possible, disable processing of OSPF Traffic Engineering and Segment Routing opaque LSAs by configuring appropriate ACLs or OSPF authentication to prevent arbitrary LS updates from untrusted neighbors.
  • Monitor OSPF traffic for anomalous opaque LSA packets and generate alerts for unusual LS Update sizes to detect potential exploitation attempts.

Generated by OpenCVE AI on May 1, 2026 at 04:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 01 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 01 May 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:frrouting:frrouting:*:*:*:*:*:*:*:*

Fri, 01 May 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Frrouting
Frrouting frrouting
Vendors & Products Frrouting
Frrouting frrouting

Thu, 30 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description FRRouting before 10.5.3 contains an integer overflow vulnerability in seven OSPF Traffic Engineering and Segment Routing TLV parser functions where a uint16_t accumulator variable truncates uint32_t values returned by the TLV_SIZE() macro, causing the loop termination condition to fail while pointer advancement continues unchecked. Attackers with an established OSPF adjacency can send a crafted LS Update packet with a malicious Type 10 or Type 11 Opaque LSA to trigger out-of-bounds memory reads and crash all affected routers in the OSPF area or autonomous system.
Title FRRouting < 10.5.3 Integer Overflow in OSPF TLV Parser Functions
Weaknesses CWE-125
CWE-190
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Frrouting Frrouting
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-01T19:46:14.169Z

Reserved: 2026-02-27T21:07:55.469Z

Link: CVE-2026-28532

cve-icon Vulnrichment

Updated: 2026-05-01T16:36:16.425Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-30T21:16:31.250

Modified: 2026-05-01T17:48:21.397

Link: CVE-2026-28532

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-30T20:17:51Z

Links: CVE-2026-28532 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T08:15:12Z

Weaknesses