CVE-2026-48691 - Vulnerability Details

Description

FastNetMon Community Edition through 1.2.9 contains an integer overflow in the BGP AS_PATH attribute encoder. In src/bgp_protocol.hpp, the IPv4UnicastAnnounce::get_attributes() function computes attribute_length as 'sizeof(bgp_as_path_segment_element_t) + this->as_path_asns.size() * sizeof(uint32_t)' and stores it in a uint8_t field (line 600-605). Since uint8_t can only hold values 0-255, an AS_PATH containing more than 63 ASNs (2 + 64*4 = 258 > 255) causes silent truncation. The truncated length is used for buffer sizing, while the actual data written is the full untruncated amount, resulting in a heap buffer overflow. Similarly, the path_segment_length field at line 621 is also uint8_t, truncating with more than 255 ASNs.

Published: 2026-05-26

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

An integer overflow in the FastNetMon Community Edition’s BGP AS_PATH encoder allows an attacker to craft a BGP UPDATE message with an AS_PATH containing more than 63 ASNs. The encoder treats the length of the path as a uint8_t field, truncating values above 255. The truncated length is then used to size a heap buffer, while the full untruncated attribute is copied into that buffer, causing a heap buffer overflow. The likely consequences of the buffer overflow include potential arbitrary code execution or denial of service, depending on how the overflow is exploited.

Affected Systems

FastNetMon Community Edition software versions up to and including 1.2.9 are affected. The issue resides in src/bgp_protocol.hpp and affects the construction of IPv4UnicastAnnounce attributes during BGP message processing.

Risk and Exploitability

No EPSS score is publicly available and the vulnerability is not listed in the CISA KEV catalog, indicating that there is no documented exploitation in the wild yet. However, the severity of a heap buffer overflow in a networking daemon is high, and the lack of public exploitation does not reduce the potential damage. Based on the description, the likely attack vector is that an attacker could deliver crafted BGP UPDATE packets from any source with network reachability to the FastNetMon instance to trigger the overflow.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

No data.

Vendor Product Confidence Versions

Pavel-odintsov

Fastnetmon

80%

Version	Status	Scheme	Platform
`[0,1.2.9]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Implement firewall or policy controls that discard or deny any BGP UPDATE packets carrying excessively long AS_PATH attributes
Configure the BGP listener or FastNetMon to reject UPDATE messages with an AS_PATH longer than 63 ASNs, thereby preventing the overflow condition
Monitor BGP traffic for abnormal AS_PATH lengths and investigate any suspicious activity

Generated by OpenCVE AI on May 26, 2026 at 20:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/pavel-odintsov/fastnetmon
https://github.com/pavel-odintsov/fastnetmon/blob/master/src/bgp_protocol.hpp
https://lorikeetsecurity.com/blog/fastnetmon-cve-2026-48691-bgp-as-path-overflow

History

Tue, 26 May 2026 20:30:00 +0000

Type	Values Removed	Values Added
Title		Heap Buffer Overflow via BGP AS_PATH Overwrite in FastNetMon Community Edition
First Time appeared		Pavel-odintsov Pavel-odintsov fastnetmon
Weaknesses		CWE-120 CWE-190
Vendors & Products		Pavel-odintsov Pavel-odintsov fastnetmon

Tue, 26 May 2026 17:00:00 +0000

Type	Values Removed	Values Added
Description		FastNetMon Community Edition through 1.2.9 contains an integer overflow in the BGP AS_PATH attribute encoder. In src/bgp_protocol.hpp, the IPv4UnicastAnnounce::get_attributes() function computes attribute_length as 'sizeof(bgp_as_path_segment_element_t) + this->as_path_asns.size() * sizeof(uint32_t)' and stores it in a uint8_t field (line 600-605). Since uint8_t can only hold values 0-255, an AS_PATH containing more than 63 ASNs (2 + 64*4 = 258 > 255) causes silent truncation. The truncated length is used for buffer sizing, while the actual data written is the full untruncated amount, resulting in a heap buffer overflow. Similarly, the path_segment_length field at line 621 is also uint8_t, truncating with more than 255 ASNs.
References		https://github.com/pavel-odintsov/fastnetmon https://github.com/pavel-odintsov/fastnetmon/blob/master/src/bgp_protocol.hpp https://lorikeetsecurity.com/blog/fastnetmon-cve-2026-48691-bgp-as-path-overflow

Subscriptions

Pavel-odintsov Fastnetmon

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-05-26T00:00:00.000Z

Updated: 2026-05-26T15:45:19.798Z

Reserved: 2026-05-22T00:00:00.000Z

Link: CVE-2026-48691

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-26T17:16:53.670

Modified: 2026-05-26T19:29:02.327

Link: CVE-2026-48691

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-26T20:15:15Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object