Description
FastNetMon Community Edition through 1.2.9 contains an off-by-one heap-based buffer overflow in the dynamic_binary_buffer_t class (src/dynamic_binary_buffer.hpp). Five methods (append_dynamic_buffer, append_data_as_pointer, append_data_as_object_ptr, memcpy_from_ptr, memcpy_from_object_ptr) use an incorrect bounds check of the form 'if (offset + length > maximum_internal_storage_size + 1)' instead of the correct 'if (offset + length > maximum_internal_storage_size)'. This allows writing exactly one byte past the end of the heap-allocated buffer. The class is used pervasively in BGP message encoding/decoding, NetFlow template processing, and Flow Spec NLRI construction. An attacker who can send network traffic (NetFlow, sFlow, IPFIX, or BGP) to a FastNetMon instance can trigger this overflow, potentially achieving arbitrary code execution by corrupting heap metadata. Notably, the append_byte() method uses the correct bounds check, confirming the inconsistency.
Published: 2026-05-26
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

FastNetMon Community Edition, up through version 1.2.9, contains an off‑by‑one error in the dynamic_binary_buffer_t class that allows an attacker to write one byte past the end of a heap‑allocated buffer. The flaw exists in several public methods that are used for BGP, NetFlow, sFlow, and IPFIX message handling and construction. By exploiting the incorrect bounds check, an attacker who can send these protocol messages can corrupt heap metadata and potentially obtain arbitrary code execution on the FastNetMon host. The defect aligns with key buffer manipulation weaknesses, namely CWE‑122, CWE‑193, and CWE‑787.

Affected Systems

Any deployment of FastNetMon Community Edition whose installed version is 1.2.9 or earlier. The vulnerability applies to all builds that include the dynamic_binary_buffer.hpp implementation; no other vendor or product names are specified.

Risk and Exploitability

The flaw is a severe heap overflow that can lead to remote code execution. The CVSS score of 9.8 indicates critical severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector requires the attacker to send specially crafted network traffic (NetFlow, sFlow, IPFIX, or BGP) to a reachable FastNetMon instance; thus exposure depends on network exposure and firewall rules. The absence of a public exploit does not mitigate the inherent risk of the vulnerability.

Generated by OpenCVE AI on May 27, 2026 at 02:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available vendor patch that addresses the dynamic_binary_buffer.hpp bounds check issue.
  • Restrict the interfaces that accept BGP, NetFlow, sFlow, or IPFIX traffic to trusted networks or use firewall rules to limit traffic to known legitimate sources.
  • If no patch exists, manually edit dynamic_binary_buffer.hpp to replace the bounds check with 'if (offset + length > maximum_internal_storage_size)' and rebuild the binary before redeploying the patched FastNetMon.

Generated by OpenCVE AI on May 27, 2026 at 02:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 03:15:00 +0000

Type Values Removed Values Added
Title FastNetMon Community Edition Heap Overflow in Dynamic Binary Buffer Allows Remote Code Execution

Wed, 27 May 2026 01:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-122
CWE-193
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 26 May 2026 21:15:00 +0000

Type Values Removed Values Added
Title FastNetMon Community Edition Heap Overflow in Dynamic Binary Buffer Allows Remote Code Execution

Tue, 26 May 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Pavel-odintsov
Pavel-odintsov fastnetmon
Weaknesses CWE-787
CPEs cpe:2.3:a:pavel-odintsov:fastnetmon:*:*:*:*:community:*:*:*
Vendors & Products Pavel-odintsov
Pavel-odintsov fastnetmon
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 26 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description FastNetMon Community Edition through 1.2.9 contains an off-by-one heap-based buffer overflow in the dynamic_binary_buffer_t class (src/dynamic_binary_buffer.hpp). Five methods (append_dynamic_buffer, append_data_as_pointer, append_data_as_object_ptr, memcpy_from_ptr, memcpy_from_object_ptr) use an incorrect bounds check of the form 'if (offset + length > maximum_internal_storage_size + 1)' instead of the correct 'if (offset + length > maximum_internal_storage_size)'. This allows writing exactly one byte past the end of the heap-allocated buffer. The class is used pervasively in BGP message encoding/decoding, NetFlow template processing, and Flow Spec NLRI construction. An attacker who can send network traffic (NetFlow, sFlow, IPFIX, or BGP) to a FastNetMon instance can trigger this overflow, potentially achieving arbitrary code execution by corrupting heap metadata. Notably, the append_byte() method uses the correct bounds check, confirming the inconsistency.
References

Subscriptions

Pavel-odintsov Fastnetmon
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-27T00:20:18.668Z

Reserved: 2026-05-22T00:00:00.000Z

Link: CVE-2026-48689

cve-icon Vulnrichment

Updated: 2026-05-27T00:20:11.254Z

cve-icon NVD

Status : Modified

Published: 2026-05-26T19:16:28.663

Modified: 2026-05-27T02:16:33.807

Link: CVE-2026-48689

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:05:34Z

Weaknesses