Description
Missing input validation in the rfapiRibBi2Ri() function (rfapi_rib.c) of FRRouting (FRR) stable/10.0 to stable/10.6 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP UPDATE message.
Published: 2026-06-03
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

FRRouting (FRR) implements a function rfapiRibBi2Ri() that processes BGP UPDATE messages without proper input validation. An attacker can craft a malformed BGP UPDATE packet and send it to an FRR instance, triggering a crash or memory corruption that results in a denial of service. The core weakness is an improper input validation flaw (CWE‑20), leading to availability loss for the network service.

Affected Systems

FRRouting (FRR) stable release series 10.0 through 10.6 are affected. Any deployment of FRR within this version range that accepts BGP UPDATE messages is vulnerable.

Risk and Exploitability

No CVSS score is listed for this vulnerability, and the EPSS score is not available, leaving the exploitation probability uncertain. It is not currently listed in the CISA KEV catalog. Based on the description, the attack can be performed remotely by an entity with network access to the FRR instance, using crafted BGP UPDATE packets to cause an outage. Availability impact can affect network reachability and routing stability, potentially disrupting all services that rely on the affected FRR instance.

Generated by OpenCVE AI on June 3, 2026 at 15:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch corresponding to commit 7676cad65114aa23adde58 or merge pull request 21098 to resolve the input validation issue in rfapiRibBi2Ri()
  • Upgrade FRRouting to a release newer than stable/10.6 that contains the issued patch
  • Implement BGP message filtering to reject malformed UPDATE packets before they reach FRRouting

Generated by OpenCVE AI on June 3, 2026 at 15:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
Title Denial of Service via Missing Input Validation for BGP UPDATE in FRRouting
Weaknesses CWE‑20

Wed, 03 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
Description Missing input validation in the rfapiRibBi2Ri() function (rfapi_rib.c) of FRRouting (FRR) stable/10.0 to stable/10.6 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP UPDATE message.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-03T13:59:50.777Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-37460

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-03T14:16:42.897

Modified: 2026-06-03T14:16:42.897

Link: CVE-2026-37460

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T16:00:16Z

Weaknesses