Description
FastNetMon Community Edition through 1.2.9 contains a stack-based buffer overflow in the BGP NLRI (Network Layer Reachability Information) decoder. The function decode_bgp_subnet_encoding_ipv4_raw() in src/bgp_protocol.cpp reads prefix_bit_length directly from the BGP packet (line 99) without validating it is <= 32 for IPv4 prefixes. This value is passed to how_much_bytes_we_need_for_storing_certain_subnet_mask() which computes ceil(prefix_bit_length / 8), returning up to 32 bytes for a prefix_bit_length of 255. The result is used as the length argument to memcpy() (line 106), which copies into a 4-byte uint32_t stack variable (prefix_ipv4). This causes a stack buffer overflow of up to 28 bytes, which can be exploited for arbitrary code execution. Additionally, the unvalidated prefix_bit_length is passed to convert_cidr_to_binary_netmask_local_function_copy() (line 111), where a shift of (32 - cidr) with cidr > 32 causes undefined behavior.
Published: 2026-05-26
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

FastNetMon Community Edition through release 1.2.9 decodes BGP NLRI messages without validating the prefix bit length. The vulnerable function reads a value directly from the network and uses it to determine the number of bytes for an IPv4 mask, leading to a stack‑based buffer overflow when the value exceeds 32. An attacker can craft a BGP UPDATE with an oversized prefix length, overwrite the stack, and achieve arbitrary code execution on the host running FastNetMon. This unchecked bit length also results in an out‑of‑bounds write due to the shift operation on values greater than 32.

Affected Systems

FastNetMon Community Edition up to and including version 1.2.9. The issue is present in the source file bgp_protocol.cpp where the prefix_bit_length field from BGP packets is unchecked. No other products are affected.

Risk and Exploitability

The absence of input validation allows a stack corruption that can be leveraged to achieve remote code execution, so the overall risk is high. The CVSS score of 9.8 underscores the critical severity of this flaw. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. Attackers would need to send a malicious BGP UPDATE packet to the FastNetMon instance, which is typically reachable from other routers or the public internet. Once the packet is processed, the overflow can be triggered without additional authentication, making exploitation straightforward for attackers who can reach the BGP session.

Generated by OpenCVE AI on May 26, 2026 at 23:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the FastNetMon official repository or vendor channels for a patched release that addresses the stack overflow in the BGP decoder.
  • Until a patch is available, configure firewall or ACL rules to reject BGP UPDATE messages containing prefixes with a length greater than 32 before they reach the FastNetMon process.
  • Restrict BGP neighbor sessions to trusted routers and apply strict prefix filtering or RPKI validation to prevent malformed prefixes from being injected into the measurement system.

Generated by OpenCVE AI on May 26, 2026 at 23:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 14:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:pavel-odintsov:fastnetmon:*:*:*:*:community:*:*:*

Tue, 26 May 2026 23:45:00 +0000

Type Values Removed Values Added
Title Stack Corruption in FastNetMon BGP NLRI Decoder Leading to Arbitrary Code Execution

Tue, 26 May 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 26 May 2026 16:45:00 +0000

Type Values Removed Values Added
Title Stack Corruption in FastNetMon BGP NLRI Decoder Leading to Arbitrary Code Execution
First Time appeared Pavel-odintsov
Pavel-odintsov fastnetmon
Weaknesses CWE-120
Vendors & Products Pavel-odintsov
Pavel-odintsov fastnetmon

Tue, 26 May 2026 15:45:00 +0000

Type Values Removed Values Added
Description FastNetMon Community Edition through 1.2.9 contains a stack-based buffer overflow in the BGP NLRI (Network Layer Reachability Information) decoder. The function decode_bgp_subnet_encoding_ipv4_raw() in src/bgp_protocol.cpp reads prefix_bit_length directly from the BGP packet (line 99) without validating it is <= 32 for IPv4 prefixes. This value is passed to how_much_bytes_we_need_for_storing_certain_subnet_mask() which computes ceil(prefix_bit_length / 8), returning up to 32 bytes for a prefix_bit_length of 255. The result is used as the length argument to memcpy() (line 106), which copies into a 4-byte uint32_t stack variable (prefix_ipv4). This causes a stack buffer overflow of up to 28 bytes, which can be exploited for arbitrary code execution. Additionally, the unvalidated prefix_bit_length is passed to convert_cidr_to_binary_netmask_local_function_copy() (line 111), where a shift of (32 - cidr) with cidr > 32 causes undefined behavior.
References

Subscriptions

Pavel-odintsov Fastnetmon
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-26T20:59:11.887Z

Reserved: 2026-05-22T00:00:00.000Z

Link: CVE-2026-48686

cve-icon Vulnrichment

Updated: 2026-05-26T20:59:08.823Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-26T16:16:26.693

Modified: 2026-06-17T10:55:10.473

Link: CVE-2026-48686

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T23:45:06Z

Weaknesses
  • CWE-120

    Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

  • CWE-787

    Out-of-bounds Write