Description
FastNetMon Community Edition through 1.2.9 contains a stack-based buffer overflow in the BGP NLRI (Network Layer Reachability Information) decoder. The function decode_bgp_subnet_encoding_ipv4_raw() in src/bgp_protocol.cpp reads prefix_bit_length directly from the BGP packet (line 99) without validating it is <= 32 for IPv4 prefixes. This value is passed to how_much_bytes_we_need_for_storing_certain_subnet_mask() which computes ceil(prefix_bit_length / 8), returning up to 32 bytes for a prefix_bit_length of 255. The result is used as the length argument to memcpy() (line 106), which copies into a 4-byte uint32_t stack variable (prefix_ipv4). This causes a stack buffer overflow of up to 28 bytes, which can be exploited for arbitrary code execution. Additionally, the unvalidated prefix_bit_length is passed to convert_cidr_to_binary_netmask_local_function_copy() (line 111), where a shift of (32 - cidr) with cidr > 32 causes undefined behavior.
Published: 2026-05-26
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

FastNetMon Community Edition through release 1.2.9 decodes BGP NLRI messages without validating the prefix bit length. The vulnerable function read a value directly from the network and used it to determine the number of bytes for an IPv4 mask, leading to a stack-based buffer overflow when the value exceeds 32. An attacker can craft a BGP UPDATE with an oversized prefix length, overwrite the stack, and achieve arbitrary code execution on the host running FastNetMon.

Affected Systems

FastNetMon Community Edition up to and including version 1.2.9. The issue is present in the source file bgp_protocol.cpp where the prefix_bit_length field from BGP packets is unchecked. No other products are affected.

Risk and Exploitability

The absence of input validation allows a stack corruption that can be leveraged to achieve remote code execution, so the overall risk is high. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. Attackers would need to send a malicious BGP UPDATE packet to the FastNetMon instance, which is typically reachable from other routers or the public internet. Once the packet is processed, the overflow can be triggered without additional authentication, making exploitation straightforward for attackers who can reach the BGP session.

Generated by OpenCVE AI on May 26, 2026 at 16:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FastNetMon to the latest released version that contains the buffer overflow fix (at least 1.3.0).
  • Until the upgrade can be applied, configure firewall or ACL rules to reject BGP UPDATE messages containing prefixes with a length greater than 32 before they reach the FastNetMon process.
  • Restrict BGP neighbor sessions to trusted routers and apply strict prefix filtering or RPKI validation to prevent malformed prefixes from being injected into the measurement system.

Generated by OpenCVE AI on May 26, 2026 at 16:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 16:45:00 +0000

Type Values Removed Values Added
Title Stack Corruption in FastNetMon BGP NLRI Decoder Leading to Arbitrary Code Execution
First Time appeared Pavel-odintsov
Pavel-odintsov fastnetmon
Weaknesses CWE-120
Vendors & Products Pavel-odintsov
Pavel-odintsov fastnetmon

Tue, 26 May 2026 15:45:00 +0000

Type Values Removed Values Added
Description FastNetMon Community Edition through 1.2.9 contains a stack-based buffer overflow in the BGP NLRI (Network Layer Reachability Information) decoder. The function decode_bgp_subnet_encoding_ipv4_raw() in src/bgp_protocol.cpp reads prefix_bit_length directly from the BGP packet (line 99) without validating it is <= 32 for IPv4 prefixes. This value is passed to how_much_bytes_we_need_for_storing_certain_subnet_mask() which computes ceil(prefix_bit_length / 8), returning up to 32 bytes for a prefix_bit_length of 255. The result is used as the length argument to memcpy() (line 106), which copies into a 4-byte uint32_t stack variable (prefix_ipv4). This causes a stack buffer overflow of up to 28 bytes, which can be exploited for arbitrary code execution. Additionally, the unvalidated prefix_bit_length is passed to convert_cidr_to_binary_netmask_local_function_copy() (line 111), where a shift of (32 - cidr) with cidr > 32 causes undefined behavior.
References

Subscriptions

Pavel-odintsov Fastnetmon
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-26T14:46:38.784Z

Reserved: 2026-05-22T00:00:00.000Z

Link: CVE-2026-48686

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-26T16:16:26.693

Modified: 2026-05-26T16:16:26.693

Link: CVE-2026-48686

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T16:30:10Z

Weaknesses