CVE-2026-48688 - Vulnerability Details

Description

FastNetMon Community Edition through 1.2.9 contains multiple out-of-bounds reads in the BGP MP_REACH_NLRI IPv6 attribute decoder. The function decode_mp_reach_ipv6() in src/bgp_protocol.cpp contains a TODO comment at line 156 explicitly acknowledging 'we should add sanity checks to avoid reads after attribute memory block.' The function casts raw pointers to structure types without verifying sufficient data exists (line 158), uses the attacker-controlled length_of_next_hop field to determine memcpy size (line 181), and computes prefix_length by dereferencing a pointer calculated from multiple attacker-controlled offsets without bounds validation (line 189). The prefix_length is then used to calculate number_of_bytes_required_for_prefix which becomes a memcpy length (line 202) with no check against remaining buffer size.

Published: 2026-05-26

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

FastNetMon Community Edition through 1.2.9 contains multiple out-of-bounds read vulnerabilities in the BGP MP_REACH_NLRI IPv6 attribute decoder. The decode_mp_reach_ipv6() function fails to validate buffer boundaries when casting raw pointers and when using attacker-controlled length fields to compute memcpy sizes. This allows an attacker to craft a BGP packet that causes the program to read memory beyond the intended buffer, potentially exposing sensitive system or configuration data and providing information that could aid further attacks.

Affected Systems

The vulnerability affects FastNetMon Community Edition versions up to and including 1.2.9. No other products or versions were listed as impacted.

Risk and Exploitability

An attacker who can send malicious BGP messages to a vulnerable FastNetMon instance can trigger the out-of-bounds reads. Because the bug originates from parsing a network protocol, it can be exercised remotely from the outside world. The resulting memory disclosures could reveal confidential information that may be leveraged for subsequent attacks. EPSS data is not available and the issue is not listed in CISA’s KEV catalog. The CVSS score is not provided in the input, but the presence of a remote, user-controlled input that leads to a data leak suggests a moderate to high confidentiality risk. No special conditions are required other than the ability to inject crafted BGP traffic.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

No data.

Vendor Product Confidence Versions

Pavel-odintsov

Fastnetmon

80%

Version	Status	Scheme	Platform
`[0,1.2.9]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade FastNetMon to the latest release that contains a patch for the MP_REACH_NLRI decoder bug
Configure the FastNetMon instance to accept BGP updates only from trusted peers or within a hardened network segment
Apply network-level filtering or rate limiting to reject malformed BGP packets before they reach the FastNetMon process

Generated by OpenCVE AI on May 26, 2026 at 16:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/pavel-odintsov/fastnetmon
https://github.com/pavel-odintsov/fastnetmon/blob/master/src/bgp_protocol.cpp
https://lorikeetsecurity.com/blog/fastnetmon-cve-2026-48688-bgp-mp-reach-nlri-ipv6

History

Tue, 26 May 2026 16:45:00 +0000

Type	Values Removed	Values Added
Title		FastNetMon Community Edition BGP MP_REACH_NLRI IPv6 Decoder Out-of-Bounds Read
First Time appeared		Pavel-odintsov Pavel-odintsov fastnetmon
Weaknesses		CWE-125 CWE-200
Vendors & Products		Pavel-odintsov Pavel-odintsov fastnetmon

Tue, 26 May 2026 15:45:00 +0000

Type	Values Removed	Values Added
Description		FastNetMon Community Edition through 1.2.9 contains multiple out-of-bounds reads in the BGP MP_REACH_NLRI IPv6 attribute decoder. The function decode_mp_reach_ipv6() in src/bgp_protocol.cpp contains a TODO comment at line 156 explicitly acknowledging 'we should add sanity checks to avoid reads after attribute memory block.' The function casts raw pointers to structure types without verifying sufficient data exists (line 158), uses the attacker-controlled length_of_next_hop field to determine memcpy size (line 181), and computes prefix_length by dereferencing a pointer calculated from multiple attacker-controlled offsets without bounds validation (line 189). The prefix_length is then used to calculate number_of_bytes_required_for_prefix which becomes a memcpy length (line 202) with no check against remaining buffer size.
References		https://github.com/pavel-odintsov/fastnetmon https://github.com/pavel-odintsov/fastnetmon/blob/master/src/bgp_protocol.cpp https://lorikeetsecurity.com/blog/fastnetmon-cve-2026-48688-bgp-mp-reach-nlri-ipv6

Subscriptions

Pavel-odintsov Fastnetmon

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-05-26T00:00:00.000Z

Updated: 2026-05-26T15:00:08.012Z

Reserved: 2026-05-22T00:00:00.000Z

Link: CVE-2026-48688

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-26T16:16:26.903

Modified: 2026-05-26T16:16:26.903

Link: CVE-2026-48688

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-26T16:30:10Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object