CRITICAL🇵🇱 Wersja polska

CVE-2026-48691

CVSS 9.8pub. 2026-05-26upd. 2026-05-27

FastNetMon Community Edition through 1.2.9 contains an integer overflow in the BGP AS_PATH attribute encoder. In src/bgp_protocol.hpp, the IPv4UnicastAnnounce::get_attributes() function computes attribute_length as 'sizeof(bgp_as_path_segment_element_t) + this->as_path_asns.size() * sizeof(uint32_t)' and stores it in a uint8_t field (line 600-605). Since uint8_t can only hold values 0-255, an AS_PATH containing more than 63 ASNs (2 + 64*4 = 258 > 255) causes silent truncation. The truncated length is used for buffer sizing, while the actual data written is the full untruncated amount, resulting in a heap buffer overflow. Similarly, the path_segment_length field at line 621 is also uint8_t, truncating with more than 255 ASNs.

🤖 AI Analysis
How it works

In the file src/bgp_protocol.hpp, the function IPv4UnicastAnnounce::get_attributes() calculates the length of the AS_PATH attribute as the expression 'sizeof(bgp_as_path_segment_element_t) + number_of_ASNs * sizeof(uint32_t)' and stores the result in a variable of type uint8_t, which can only accept values 0-255. When the AS_PATH contains more than 63 ASN numbers, the calculated value exceeds 255 (for example, 2 + 64*4 = 258), which causes silent truncation to an incorrect, smaller value. The truncated length is used for buffer allocation, while the full, untruncated amount of data is written to memory, resulting in heap buffer overflow. An analogous problem affects the path_segment_length field on line 621, which is also uint8_t and is truncated with more than 255 ASN numbers.

Impact

An attacker can cause data to be written beyond the boundaries of the allocated buffer on the heap, which may result in arbitrary code execution (RCE), or at least abnormal process termination (denial of service). The vulnerability does not require authentication or user interaction.

Mitigation & patch

Patches available from the vendor should be applied according to the references. Until an update is applied, it is recommended to restrict network access to the FastNetMon BGP service only to trusted peers and to monitor BGP traffic anomalies.

Who is affected

FastNetMon Community Edition in versions up to and including 1.2.9 (product Pavel-Odintsov/fastnetmon).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Pavel Odintsov Fastnetmon

    APP
    Pavel-Odintsov
    ≤ 1.2.9
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Memory
CWE
References

Related vulnerabilities

CVE-2026-48686CRITICAL9.8PL ✓ten sam produkt

Stack buffer overflow w FastNetMon — RCE przez BGP NLRI

CVE-2026-48689CRITICAL9.8PL ✓ten sam produkt

FastNetMon: off-by-one heap buffer overflow umożliwiający RCE

CVE-2026-48687CRITICAL9.8PL ✓ten sam produkt

Command injection w pluginie Juniper FastNetMon Community Edition

CVE-2026-48688HIGH7.5ten sam produkt

FastNetMon Community Edition through 1.2.9 contains multiple out-of-bounds reads in the BGP MP_REACH_NLRI IPv6...

CVE-2026-48690HIGH7.1ten sam produkt

FastNetMon Community Edition through 1.2.9 contains an integer overflow vulnerability in the packet capture bu...