High severity7.5NVD Advisory· Published Oct 29, 2017· Updated May 13, 2026

CVE-2017-16227

Description

The aspath_put function in bgpd/bgp_aspath.c in Quagga before 1.2.2 allows remote attackers to cause a denial of service (session drop) via BGP UPDATE messages, because AS_PATH size calculation for long paths counts certain bytes twice and consequently constructs an invalid message.

Affected products

Quagga (software)/Quagga
cpe:2.3:a:quagga:quagga:*:*:*:*:*:*:*:*
Range: <=1.2.1
Debian/Debian Linux2 versions
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

bugs.debian.org/879474nvdIssue TrackingPatchThird Party Advisory
git.savannah.gnu.org/cgit/quagga.git/commit/nvdIssue TrackingPatchThird Party Advisory
lists.quagga.net/pipermail/quagga-dev/2017-September/033284.htmlnvdIssue TrackingPatchThird Party Advisory
download.savannah.gnu.org/releases/quagga/quagga-1.2.2.changelog.txtnvdIssue TrackingThird Party Advisory
www.debian.org/security/2017/dsa-4011nvdIssue TrackingThird Party Advisory

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000