CRITICAL🇵🇱 Wersja polska

CVE-2026-48689

CVSS 9.8v3.1pub. 2026-05-26upd. 2026-05-27

FastNetMon Community Edition through 1.2.9 contains an off-by-one heap-based buffer overflow in the dynamic_binary_buffer_t class (src/dynamic_binary_buffer.hpp). Five methods (append_dynamic_buffer, append_data_as_pointer, append_data_as_object_ptr, memcpy_from_ptr, memcpy_from_object_ptr) use an incorrect bounds check of the form 'if (offset + length > maximum_internal_storage_size + 1)' instead of the correct 'if (offset + length > maximum_internal_storage_size)'. This allows writing exactly one byte past the end of the heap-allocated buffer. The class is used pervasively in BGP message encoding/decoding, NetFlow template processing, and Flow Spec NLRI construction. An attacker who can send network traffic (NetFlow, sFlow, IPFIX, or BGP) to a FastNetMon instance can trigger this overflow, potentially achieving arbitrary code execution by corrupting heap metadata. Notably, the append_byte() method uses the correct bounds check, confirming the inconsistency.

🤖 AI Analysis
How it works

Five methods of the dynamic_binary_buffer_t class (append_dynamic_buffer, append_data_as_pointer, append_data_as_object_ptr, memcpy_from_ptr, memcpy_from_object_ptr) use incorrect boundary condition checking in the form of 'if (offset + length > maximum_internal_storage_size + 1)' instead of the correct 'if (offset + length > maximum_internal_storage_size)'. This makes it possible to write exactly one byte beyond the end of the heap-allocated buffer. This class is widely used during encoding and decoding of BGP messages, processing NetFlow templates, and building Flow Spec NLRI messages. An attacker can trigger overflow by sending specially crafted NetFlow, sFlow, IPFIX, or BGP packets to a vulnerable FastNetMon instance, which can lead to heap metadata corruption and consequently arbitrary code execution.

Impact

An unauthenticated attacker can remotely execute arbitrary code (RCE) on a server running FastNetMon by corrupting heap metadata. Loss of confidentiality, integrity, and availability of the system is also possible.

Mitigation & patch

Apply patches available from the vendor according to the references. Until an update is applied, it is recommended to restrict network access to the FastNetMon instance (NetFlow, sFlow, IPFIX, BGP) only to trusted sources using firewall rules.

Who is affected

FastNetMon Community Edition versions up to and including 1.2.9 (product: Pavel-Odintsov FastNetMon)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Pavel Odintsov Fastnetmon

    APP
    Pavel-Odintsov
    ≤ 1.2.9
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEMemory
CWE
References

Related vulnerabilities

CVE-2026-48691CRITICAL9.8PL ✓ten sam produkt

FastNetMon: integer overflow w enkodowaniu BGP AS_PATH prowadzący do heap buffer overflow

CVE-2026-48686CRITICAL9.8PL ✓ten sam produkt

Stack buffer overflow w FastNetMon — RCE przez BGP NLRI

CVE-2026-48687CRITICAL9.8PL ✓ten sam produkt

Command injection w pluginie Juniper FastNetMon Community Edition

CVE-2026-48690HIGH7.1ten sam produkt

FastNetMon Community Edition through 1.2.9 contains an integer overflow vulnerability in the packet capture bu...

CVE-2026-48688HIGH7.5ten sam produkt

FastNetMon Community Edition through 1.2.9 contains multiple out-of-bounds reads in the BGP MP_REACH_NLRI IPv6...