CVE-2026-5107 - Vulnerability Details

Description

A vulnerability has been found in FRRouting FRR up to 10.5.1. This affects the function process_type2_route of the file bgpd/bgp_evpn.c of the component EVPN Type-2 Route Handler. The manipulation leads to improper access controls. The attack can be initiated remotely. The attack is considered to have high complexity. The exploitability is reported as difficult. The identifier of the patch is 7676cad65114aa23adde583d91d9d29e2debd045. To fix this issue, it is recommended to deploy a patch.

Published: 2026-03-30

Score: 2.3 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw resides in the EVPN Type‑2 Route Handler within FRRouting FRR. An attacker can manipulate routing data via process_type2_route, resulting in improper access controls. This vulnerability allows a remote actor to gain unauthorized access to routing configuration, potentially altering or injecting routes into the BGP EVPN table. The impact is a breach of confidentiality and integrity of routing information, which can affect network reachability and service availability.

Affected Systems

FRRouting’s FRR distribution, affected through all releases up to and including 10.5.1. No affected versions beyond 10.5.1 are listed, so newer releases should be verified for removal.

Risk and Exploitability

The CVSS score of 2.3 indicates low overall severity. Exploitability is considered difficult and the required attack complexity is high, with the attack vector being remote. No EPSS data or KEV listing is available, suggesting limited active exploitation. Nonetheless, administrators should treat the issue as an unauthorized access risk and apply the patch promptly.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

FRRouting

FRR

affected

Version	Status	Constraints
`10.5.0`	affected	—
`10.5.1`	affected	—

No data.

Vendor Product Confidence Versions

Frrouting

81%

Version	Status	Scheme	Platform
`10.5.0`	affected	semver	—
`10.5.1`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the patch with commit hash 7676cad65114aa23adde583d91d9d29e2debd045 or upgrade FRRouting FRR to a version later than 10.5.1 that contains the fix.
Confirm installation by verifying the FRR version and reviewing configuration files for EVPN route handlers.
Disable or restrict access to the EVPN Type‑2 Route Interface until the upgrade is completed.
Monitor BGP log entries for abnormal EVPN route events that may indicate attempted exploitation.
Limit privileged network configuration access to trusted administrators and enforce strong authentication.

Generated by OpenCVE AI on March 30, 2026 at 06:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity High

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity High

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00043.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/FRRouting/frr/
https://github.com/FRRouting/frr/commit/7676cad65114aa23adde583d91d9d29e2debd045
https://github.com/FRRouting/frr/pull/21098
https://vuldb.com/submit/780123
https://vuldb.com/vuln/354132
https://vuldb.com/vuln/354132/cti

History

Mon, 30 Mar 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 30 Mar 2026 07:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Frrouting Frrouting frrouting
Vendors & Products		Frrouting Frrouting frrouting

Mon, 30 Mar 2026 05:45:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability has been found in FRRouting FRR up to 10.5.1. This affects the function process_type2_route of the file bgpd/bgp_evpn.c of the component EVPN Type-2 Route Handler. The manipulation leads to improper access controls. The attack can be initiated remotely. The attack is considered to have high complexity. The exploitability is reported as difficult. The identifier of the patch is 7676cad65114aa23adde583d91d9d29e2debd045. To fix this issue, it is recommended to deploy a patch.
Title		FRRouting FRR EVPN Type-2 Route bgp_evpn.c process_type2_route access control
Weaknesses		CWE-266 CWE-284
References		https://github.com/FRRouting/frr/ https://github.com/FRRouting/frr/commit/7676cad65114aa23adde583d91d9d29e2debd045 https://github.com/FRRouting/frr/pull/21098 https://vuldb.com/submit/780123 https://vuldb.com/vuln/354132 https://vuldb.com/vuln/354132/cti
Metrics		cvssV2_0 `{'score': 3.6, 'vector': 'AV:N/AC:H/Au:S/C:N/I:P/A:P/E:ND/RL:OF/RC:C'}` cvssV3_0 `{'score': 4.2, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L/E:X/RL:O/RC:C'}` cvssV3_1 `{'score': 4.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L/E:X/RL:O/RC:C'}` cvssV4_0 `{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X'}`

Subscriptions

Frrouting Frrouting

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-03-30T05:00:19.025Z

Updated: 2026-03-30T16:02:10.336Z

Reserved: 2026-03-29T17:55:46.788Z

Link: CVE-2026-5107

Vulnrichment

Updated: 2026-03-30T16:02:06.462Z

NVD

Status : Awaiting Analysis

Published: 2026-03-30T06:16:05.510

Modified: 2026-03-30T13:26:07.647

Link: CVE-2026-5107

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-30T07:03:40Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity High

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object