Description
FastNetMon Community Edition through 1.2.9 contains an integer overflow in the BGP AS_PATH attribute encoder. In src/bgp_protocol.hpp, the IPv4UnicastAnnounce::get_attributes() function computes attribute_length as 'sizeof(bgp_as_path_segment_element_t) + this->as_path_asns.size() * sizeof(uint32_t)' and stores it in a uint8_t field (line 600-605). Since uint8_t can only hold values 0-255, an AS_PATH containing more than 63 ASNs (2 + 64*4 = 258 > 255) causes silent truncation. The truncated length is used for buffer sizing, while the actual data written is the full untruncated amount, resulting in a heap buffer overflow. Similarly, the path_segment_length field at line 621 is also uint8_t, truncating with more than 255 ASNs.
Published: 2026-05-26
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An integer overflow in the FastNetMon Community Edition’s BGP AS_PATH encoder allows an attacker to craft a BGP UPDATE message with an AS_PATH containing more than 63 ASNs. The encoder treats the length of the path as a uint8_t field, truncating values above 255. The truncated length is then used to size a heap buffer, while the full untruncated attribute is copied into that buffer, causing a heap buffer overflow. The likely consequences of the buffer overflow include potential arbitrary code execution or denial of service, depending on how the overflow is exploited.

Affected Systems

FastNetMon Community Edition software versions up to and including 1.2.9 are affected. The issue resides in src/bgp_protocol.hpp and affects the construction of IPv4UnicastAnnounce attributes during BGP message processing.

Risk and Exploitability

The CVSS score of 7.3 indicates high severity. The EPSS score of less than 1% suggests a low probability of exploitation, and it is not listed in the CISA KEV catalog. Nonetheless, the vulnerability remains dangerous, especially in a high‑traffic BGP environment. Based on the description, the likely attack vector is delivering a crafted BGP UPDATE packet from any reachable network to the FastNetMon instance, triggering an overflow during processing of the BGP AS_PATH attribute.

Generated by OpenCVE AI on May 27, 2026 at 23:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest FastNetMon update that fixes the integer overflow in the AS_PATH encoder
  • Configure FastNetMon to reject UPDATE messages with an AS_PATH longer than 63 ASNs, thereby preventing the overflow condition
  • Implement firewall or policy controls that discard or deny any BGP UPDATE packets carrying excessively long AS_PATH attributes
  • Monitor BGP traffic for abnormal AS_PATH lengths and investigate any suspicious activity

Generated by OpenCVE AI on May 27, 2026 at 23:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 00:15:00 +0000

Type Values Removed Values Added
Title Integer Overflow in FastNetMon BGP AS_PATH Encoder Causes Heap Buffer Overflow

Wed, 27 May 2026 22:30:00 +0000

Type Values Removed Values Added
Title Heap Buffer Overflow via BGP AS_PATH Overwrite in FastNetMon Community Edition
Weaknesses CWE-120

Wed, 27 May 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-122
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

Wed, 27 May 2026 15:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:pavel-odintsov:fastnetmon:*:*:*:*:community:*:*:*
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 26 May 2026 20:30:00 +0000

Type Values Removed Values Added
Title Heap Buffer Overflow via BGP AS_PATH Overwrite in FastNetMon Community Edition
First Time appeared Pavel-odintsov
Pavel-odintsov fastnetmon
Weaknesses CWE-120
CWE-190
Vendors & Products Pavel-odintsov
Pavel-odintsov fastnetmon

Tue, 26 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description FastNetMon Community Edition through 1.2.9 contains an integer overflow in the BGP AS_PATH attribute encoder. In src/bgp_protocol.hpp, the IPv4UnicastAnnounce::get_attributes() function computes attribute_length as 'sizeof(bgp_as_path_segment_element_t) + this->as_path_asns.size() * sizeof(uint32_t)' and stores it in a uint8_t field (line 600-605). Since uint8_t can only hold values 0-255, an AS_PATH containing more than 63 ASNs (2 + 64*4 = 258 > 255) causes silent truncation. The truncated length is used for buffer sizing, while the actual data written is the full untruncated amount, resulting in a heap buffer overflow. Similarly, the path_segment_length field at line 621 is also uint8_t, truncating with more than 255 ASNs.
References

Subscriptions

Pavel-odintsov Fastnetmon
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-27T20:37:43.097Z

Reserved: 2026-05-22T00:00:00.000Z

Link: CVE-2026-48691

cve-icon Vulnrichment

Updated: 2026-05-27T20:34:54.076Z

cve-icon NVD

Status : Modified

Published: 2026-05-26T17:16:53.670

Modified: 2026-05-27T21:16:19.090

Link: CVE-2026-48691

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T00:00:14Z

Weaknesses
  • CWE-122

    Heap-based Buffer Overflow

  • CWE-190

    Integer Overflow or Wraparound