Medium severity6.5NVD Advisory· Published May 4, 2026· Updated May 11, 2026

CVE-2026-37458

Description

Missing input validation in the MP_REACH_NLRI component of FRRouting (FRR) stable/10.0 to stable/10.6 allows authenticated attackers to cause a Denial of Service (DoS) via supplying a crafted UPDATE message.

Affected products

Mertsatilmaz/Vulnerability Researchreferences

Patches

8102a8aeceb9

bgpd: Validate MP_REACH_NLRI attribute against incorrect next-hop

https://github.com/FRRouting/frrDonatas AbraitisMar 10, 2026via nvd-ref

commit

1 file changed · +11 −0

bgpd/bgp_attr.c+11 −0 modified

@@ -2747,6 +2747,17 @@ int bgp_mp_reach_parse(struct bgp_attr_parser_args *args,
 		fallthrough;
 	case BGP_ATTR_NHLEN_IPV4:
 		stream_get(&attr->mp_nexthop_global_in, s, IPV4_MAX_BYTELEN);
+
+		/* We do already the same validation for NEXT_HOP attribute,
+		 * so let's do it here as well for consistency and to avoid potential
+		 * security issues with martian addresses in MP_REACH_NLRI.
+		 */
+		if (ipv4_martian(&attr->mp_nexthop_global_in) && !peer->bgp->allow_martian) {
+			zlog_warn("%s sent martian nexthop %pI4 in MP_REACH_NLRI", peer->host,
+				  &attr->mp_nexthop_global_in);
+			return BGP_ATTR_PARSE_WITHDRAW;
+		}
+
 		/* Probably needed for RFC 2283 */
 		if (attr->nexthop.s_addr == INADDR_ANY)
 			memcpy(&attr->nexthop.s_addr,

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/FRRouting/frr/commit/8102a8aeceb9f86fdfe1f80cd77080522bab69c8nvdPatch
github.com/mertsatilmaz/vulnerability-research/blob/main/advisories/CVE-2026-36365.mdnvdThird Party Advisory

News mentions

Patch Tuesday - May 2026
Rapid7 Blog · May 13, 2026

cvss	0.423
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000