Description
CZ.NIC BIRD Internet Routing Daemon through 2.19.0 contains a stack-based buffer overflow in the BGP AS_PATH mask matching implementation in nest/a-path.c. The as_path_match() function uses a fixed-size stack array of 2048 + 1 pm_pos entries, while parse_path() expands AS_PATH segments from a received BGP UPDATE without enforcing a corresponding capacity limit. When RFC 8654 BGP Extended Messages are enabled and a BIRD filter evaluates an AS path mask expression such as "bgp_path ~ [= ... =]", an established BGP peer can send a long AS_PATH containing more than 2048 expanded ASNs. This causes parse_path()/as_path_match() to write beyond the fixed stack buffer, resulting in a crash of the daemon. NOTE: reportedly, the Supplier's position is that a fix is not being prioritized because all network operators should already be rejecting routes with unusually long attributes.
Published: 2026-06-02
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

BIRD Internet Routing Daemon, version 2.19.0 and earlier, contains a stack‑based buffer overflow in the AS_PATH mask matching code. When RFC 8654 BGP Extended Messages are enabled, a BGP UPDATE carrying an AS_PATH longer than 2048 ASNs can be parsed without enforcing a capacity limit, causing as_path_match() to overwrite memory on the stack. The overflow leads to an immediate crash of the daemon, causing loss of routing functionality at that node. This vulnerability is a classic CWE‑121 issue and does not provide direct code execution but does deny service to the affected router.

Affected Systems

All installations of the BIRD Internet Routing Daemon, up to and including version 2.19.0, that enable RFC 8654 extended messages are vulnerable. The product is maintained at https://gitlab.nic.cz/labs/bird, and no official fix is currently in a released version. Network operators using BIRD with extended messages or with permissive route advertisement policies are impacted.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity. EPSS is not available, and the vulnerability is not yet listed in the CISA KEV catalog, suggesting no confirmed public exploits. However, the attack vector is straightforward: an adversary or compromised BGP peer that sends a long AS_PATH within an extrmessage can trigger the overflow. Operators must consider disallowing extended messages or filtering excessively long AS_PATHs to reduce the risk.

Generated by OpenCVE AI on June 2, 2026 at 18:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade BIRD to the newest released version that contains the fix (once available).
  • Configure BIRD to disable RFC 8654 extended messages or enforce a strict AS_PATH length limit.
  • Implement BGP path filtering or ACLs at upstream peers to reject routes with AS_PATHs exceeding a safe threshold, such as 2048 ASNs.
  • Monitor BIRD process logs for crashes or segmentation faults, and configure failover to maintain routing continuity.
  • Engage with the BIRD community and operators to promote standard route filtering practices.

Generated by OpenCVE AI on June 2, 2026 at 18:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Title Stack‑Based Buffer Overflow in BIRD's AS_PATH Mask Matching Leading to Daemon Crash

Tue, 02 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description CZ.NIC BIRD Internet Routing Daemon through 2.19.0 contains a stack-based buffer overflow in the BGP AS_PATH mask matching implementation in nest/a-path.c. The as_path_match() function uses a fixed-size stack array of 2048 + 1 pm_pos entries, while parse_path() expands AS_PATH segments from a received BGP UPDATE without enforcing a corresponding capacity limit. When RFC 8654 BGP Extended Messages are enabled and a BIRD filter evaluates an AS path mask expression such as "bgp_path ~ [= ... =]", an established BGP peer can send a long AS_PATH containing more than 2048 expanded ASNs. This causes parse_path()/as_path_match() to write beyond the fixed stack buffer, resulting in a crash of the daemon. NOTE: reportedly, the Supplier's position is that a fix is not being prioritized because all network operators should already be rejecting routes with unusually long attributes.
First Time appeared Nic
Nic bird
Weaknesses CWE-121
CPEs cpe:2.3:a:nic:bird:*:*:*:*:*:*:*:*
Vendors & Products Nic
Nic bird
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H'}

Subscriptions

Nic Bird
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-02T16:19:03.910Z

Reserved: 2026-06-02T16:16:51.394Z

Link: CVE-2026-49943

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-06-02T17:16:37.657

Modified: 2026-06-02T17:35:17.730

Link: CVE-2026-49943

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T18:30:15Z

Weaknesses