Description
FastNetMon Community Edition through 1.2.9 contains multiple out-of-bounds reads in the BGP MP_REACH_NLRI IPv6 attribute decoder. The function decode_mp_reach_ipv6() in src/bgp_protocol.cpp contains a TODO comment at line 156 explicitly acknowledging 'we should add sanity checks to avoid reads after attribute memory block.' The function casts raw pointers to structure types without verifying sufficient data exists (line 158), uses the attacker-controlled length_of_next_hop field to determine memcpy size (line 181), and computes prefix_length by dereferencing a pointer calculated from multiple attacker-controlled offsets without bounds validation (line 189). The prefix_length is then used to calculate number_of_bytes_required_for_prefix which becomes a memcpy length (line 202) with no check against remaining buffer size.
Published: 2026-05-26
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

FastNetMon Community Edition through 1.2.9 contains multiple out-of-bounds read vulnerabilities in the BGP MP_REACH_NLRI IPv6 attribute decoder. The decode_mp_reach_ipv6() function fails to validate buffer boundaries when casting raw pointers and when using attacker-controlled length fields to compute memcpy sizes. This allows an attacker to craft a BGP packet that causes the program to read memory beyond the intended buffer, potentially exposing sensitive system or configuration data and providing information that could aid further attacks.

Affected Systems

The vulnerability affects FastNetMon Community Edition versions up to and including 1.2.9. No other products or versions were listed as impacted.

Risk and Exploitability

Based on the description, the likely attack vector is remote injection of crafted BGP packets over the network to a vulnerable FastNetMon instance. An attacker who can send these malicious BGP messages can trigger the out-of-bounds reads. Because the bug originates from parsing a network protocol, it can be exercised remotely from the outside world. The resulting memory disclosures could reveal confidential information that may be leveraged for subsequent attacks. EPSS data is not available and the issue is not listed in CISA’s KEV catalog. The CVSS score is 7.5, reflecting a high severity. No special conditions are required other than the ability to inject crafted BGP traffic.

Generated by OpenCVE AI on May 27, 2026 at 00:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FastNetMon to the latest release that contains a patch for the MP_REACH_NLRI decoder bug
  • Configure the FastNetMon instance to accept BGP updates only from trusted peers or within a hardened network segment
  • Apply network-level filtering or rate limiting to reject malformed BGP packets before they reach the FastNetMon process

Generated by OpenCVE AI on May 27, 2026 at 00:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:pavel-odintsov:fastnetmon:*:*:*:*:community:*:*:*

Wed, 27 May 2026 00:45:00 +0000

Type Values Removed Values Added
Title Out-of-Bounds Read in FastNetMon BGP IPv6 Parser

Tue, 26 May 2026 23:30:00 +0000

Type Values Removed Values Added
Title FastNetMon Community Edition BGP MP_REACH_NLRI IPv6 Decoder Out-of-Bounds Read
Weaknesses CWE-200

Tue, 26 May 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 26 May 2026 16:45:00 +0000

Type Values Removed Values Added
Title FastNetMon Community Edition BGP MP_REACH_NLRI IPv6 Decoder Out-of-Bounds Read
First Time appeared Pavel-odintsov
Pavel-odintsov fastnetmon
Weaknesses CWE-125
CWE-200
Vendors & Products Pavel-odintsov
Pavel-odintsov fastnetmon

Tue, 26 May 2026 15:45:00 +0000

Type Values Removed Values Added
Description FastNetMon Community Edition through 1.2.9 contains multiple out-of-bounds reads in the BGP MP_REACH_NLRI IPv6 attribute decoder. The function decode_mp_reach_ipv6() in src/bgp_protocol.cpp contains a TODO comment at line 156 explicitly acknowledging 'we should add sanity checks to avoid reads after attribute memory block.' The function casts raw pointers to structure types without verifying sufficient data exists (line 158), uses the attacker-controlled length_of_next_hop field to determine memcpy size (line 181), and computes prefix_length by dereferencing a pointer calculated from multiple attacker-controlled offsets without bounds validation (line 189). The prefix_length is then used to calculate number_of_bytes_required_for_prefix which becomes a memcpy length (line 202) with no check against remaining buffer size.
References

Subscriptions

Pavel-odintsov Fastnetmon
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-26T20:52:49.002Z

Reserved: 2026-05-22T00:00:00.000Z

Link: CVE-2026-48688

cve-icon Vulnrichment

Updated: 2026-05-26T20:51:41.423Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-26T16:16:26.903

Modified: 2026-06-17T10:55:10.797

Link: CVE-2026-48688

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T00:30:20Z

Weaknesses