Description
Missing input validation in the MP_REACH_NLRI component of FRRouting (FRR) stable/10.0 to stable/10.6 allows authenticated attackers to cause a Denial of Service (DoS) via supplying a crafted UPDATE message.
Published: 2026-05-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

FRRouting (FRR) versions stable\u002f10.0 through stable\u002f10.6 suffer from missing input validation in the MP_REACH_NLRI component. An authenticated attacker can send a specially crafted UPDATE message causing the FRR process to crash or become unresponsive, resulting in a denial of service. The weakness is an improper input validation flaw that can be triggered by malformed routing protocol messages.

Affected Systems

The affected system is FRRouting, commonly deployed on routers and routing platforms. Vulnerable releases include stable\/10.0 up to stable\/10.6. No vendor or product name is listed in the CNA data, but the software is identified as FRRouting via the GitHub references.

Risk and Exploitability

The CVSS score is not provided in the data, and EPSS is not available, so the exploitation likelihood cannot be quantified. The vulnerability is not listed in the CISA KEV catalog. The attack requires the attacker to authenticate to the FRRouting instance or have access to a peer capable of injecting OSPF UPDATE messages. Based on the description, it is inferred that the attack vector is network-level, leveraging OSPF MP_REACH_NLRI messages sent from an authenticated or trusted peer.

Generated by OpenCVE AI on May 4, 2026 at 17:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the patch from the FRRouting GitHub commit 8102a8aeceb9f86fdfe1f80cd77080522bab69c8 which validates MP_REACH_NLRI input.
  • Upgrade to FRRouting stable\/10.7 or newer where the vulnerability has been addressed.
  • If upgrading immediately is not feasible, configure the network to filter or drop malformed MP_REACH_NLRI updates from untrusted peers and consider rate‑limiting OSPF UPDATE traffic to mitigate the impact of malformed requests.

Generated by OpenCVE AI on May 4, 2026 at 17:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Frrouting
Frrouting frrouting
Vendors & Products Frrouting
Frrouting frrouting

Mon, 04 May 2026 17:45:00 +0000

Type Values Removed Values Added
Title Denial of Service via Crafted MP_REACH_NLRI UPDATE in FRRouting 10.0-10.6
Weaknesses CWE-20

Mon, 04 May 2026 16:00:00 +0000

Type Values Removed Values Added
Description Missing input validation in the MP_REACH_NLRI component of FRRouting (FRR) stable/10.0 to stable/10.6 allows authenticated attackers to cause a Denial of Service (DoS) via supplying a crafted UPDATE message.
References

Subscriptions

Frrouting Frrouting
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-04T15:20:21.632Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-37458

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-04T16:16:02.170

Modified: 2026-05-04T16:16:02.170

Link: CVE-2026-37458

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T19:30:02Z

Weaknesses