CVE-2026-37460
Description
FRRouting's rfapiRibBi2Ri function lacks input validation, allowing crafted BGP UPDATE messages to cause a Denial of Service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
FRRouting's rfapiRibBi2Ri function lacks input validation, allowing crafted BGP UPDATE messages to cause a Denial of Service.
Vulnerability
Missing input validation in the rfapiRibBi2Ri() function within rfapi_rib.c of FRRouting (FRR) versions from stable/10.0 to stable/10.6 allows for a Denial of Service (DoS) vulnerability. The vulnerability is triggered when a crafted BGP UPDATE message is supplied to the function.
Exploitation
An attacker can exploit this vulnerability by sending a specially crafted BGP UPDATE message to a vulnerable FRR instance. This crafted message will bypass the intended input validation checks within the rfapiRibBi2Ri() function, leading to the DoS condition.
Impact
Successful exploitation of this vulnerability results in a Denial of Service (DoS) for the FRR service. This means the affected FRR instance will become unresponsive, disrupting network routing operations.
Mitigation
This vulnerability was addressed in FRR via a commit to the frr/frr repository [1]. While specific patched versions are not explicitly detailed in the references, users are advised to update to the latest available version of FRR that incorporates this fix. No workarounds are mentioned in the available references.
AI Insight generated on Jun 3, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
27676cad65114bgpd: improve packet parsing for EVPN and ENCAP/VNC
3 files changed · +35 −1
bgpd/bgp_evpn.c+17 −0 modified@@ -5023,6 +5023,14 @@ static int process_type2_route(struct peer *peer, afi_t afi, safi_t safi, goto fail; } + /* Validate ipaddr_len against the NLRI length */ + if ((psize != 33 + (ipaddr_len / 8)) && (psize != 36 + (ipaddr_len / 8))) { + flog_err(EC_BGP_EVPN_ROUTE_INVALID, + "%u:%s - Rx EVPN Type-2 NLRI with invalid IP address length %d", + peer->bgp->vrf_id, peer->host, ipaddr_len); + goto fail; + } + if (ipaddr_len) { ipaddr_len /= 8; /* Convert to bytes. */ p.prefix.macip_addr.ip.ipa_type = (ipaddr_len == IPV4_MAX_BYTELEN) @@ -5120,6 +5128,15 @@ static int process_type3_route(struct peer *peer, afi_t afi, safi_t safi, /* Get the IP. */ ipaddr_len = *pfx++; + + /* Validate */ + if (psize != 13 + (ipaddr_len / 8)) { + flog_err(EC_BGP_EVPN_ROUTE_INVALID, + "%u:%s - Rx EVPN Type-3 NLRI with invalid IP address length %d", + peer->bgp->vrf_id, peer->host, ipaddr_len); + return -1; + } + if (ipaddr_len == IPV4_MAX_BITLEN) { SET_IPADDR_V4(&p.prefix.imet_addr.ip); memcpy(&p.prefix.imet_addr.ip.ip.addr, pfx, IPV4_MAX_BYTELEN);
bgpd/bgp_evpn_mh.c+9 −1 modified@@ -845,9 +845,17 @@ int bgp_evpn_type4_route_process(struct peer *peer, afi_t afi, safi_t safi, memcpy(&esi, pfx, ESI_BYTES); pfx += ESI_BYTES; - /* Get the IP. */ ipaddr_len = *pfx++; + + /* Validate */ + if (psize != 19 + (ipaddr_len / 8)) { + flog_err(EC_BGP_EVPN_ROUTE_INVALID, + "%u:%s - Rx EVPN Type-4 NLRI with invalid IP address length %d", + peer->bgp->vrf_id, peer->host, ipaddr_len); + return -1; + } + if (ipaddr_len == IPV4_MAX_BITLEN) { SET_IPADDR_V4(&vtep_ip); memcpy(&vtep_ip.ipaddr_v4, pfx, IPV4_MAX_BYTELEN);
bgpd/rfapi/rfapi_rib.c+9 −0 modified@@ -668,11 +668,20 @@ static void rfapiRibBi2Ri(struct bgp_path_info *bpi, struct rfapi_info *ri, break; case BGP_VNC_SUBTLV_TYPE_RFPOPTION: + /* Check for short subtlv: drop */ + if (pEncap->length < 3) + break; + + /* Length of zero not valid */ + if (pEncap->value[1] == 0) + break; + hop = XCALLOC(MTYPE_BGP_TEA_OPTIONS, sizeof(struct bgp_tea_options)); assert(hop); hop->type = pEncap->value[0]; hop->length = pEncap->value[1]; + hop->value = XCALLOC(MTYPE_BGP_TEA_OPTIONS_VALUE, pEncap->length - 2); assert(hop->value);
4825b5ba5633Merge pull request #21098 from mjstapp/fix_bgp_parse_evpn_vnc
3 files changed · +35 −1
bgpd/bgp_evpn.c+17 −0 modified@@ -5023,6 +5023,14 @@ static int process_type2_route(struct peer *peer, afi_t afi, safi_t safi, goto fail; } + /* Validate ipaddr_len against the NLRI length */ + if ((psize != 33 + (ipaddr_len / 8)) && (psize != 36 + (ipaddr_len / 8))) { + flog_err(EC_BGP_EVPN_ROUTE_INVALID, + "%u:%s - Rx EVPN Type-2 NLRI with invalid IP address length %d", + peer->bgp->vrf_id, peer->host, ipaddr_len); + goto fail; + } + if (ipaddr_len) { ipaddr_len /= 8; /* Convert to bytes. */ p.prefix.macip_addr.ip.ipa_type = (ipaddr_len == IPV4_MAX_BYTELEN) @@ -5120,6 +5128,15 @@ static int process_type3_route(struct peer *peer, afi_t afi, safi_t safi, /* Get the IP. */ ipaddr_len = *pfx++; + + /* Validate */ + if (psize != 13 + (ipaddr_len / 8)) { + flog_err(EC_BGP_EVPN_ROUTE_INVALID, + "%u:%s - Rx EVPN Type-3 NLRI with invalid IP address length %d", + peer->bgp->vrf_id, peer->host, ipaddr_len); + return -1; + } + if (ipaddr_len == IPV4_MAX_BITLEN) { SET_IPADDR_V4(&p.prefix.imet_addr.ip); memcpy(&p.prefix.imet_addr.ip.ip.addr, pfx, IPV4_MAX_BYTELEN);
bgpd/bgp_evpn_mh.c+9 −1 modified@@ -845,9 +845,17 @@ int bgp_evpn_type4_route_process(struct peer *peer, afi_t afi, safi_t safi, memcpy(&esi, pfx, ESI_BYTES); pfx += ESI_BYTES; - /* Get the IP. */ ipaddr_len = *pfx++; + + /* Validate */ + if (psize != 19 + (ipaddr_len / 8)) { + flog_err(EC_BGP_EVPN_ROUTE_INVALID, + "%u:%s - Rx EVPN Type-4 NLRI with invalid IP address length %d", + peer->bgp->vrf_id, peer->host, ipaddr_len); + return -1; + } + if (ipaddr_len == IPV4_MAX_BITLEN) { SET_IPADDR_V4(&vtep_ip); memcpy(&vtep_ip.ipaddr_v4, pfx, IPV4_MAX_BYTELEN);
bgpd/rfapi/rfapi_rib.c+9 −0 modified@@ -668,11 +668,20 @@ static void rfapiRibBi2Ri(struct bgp_path_info *bpi, struct rfapi_info *ri, break; case BGP_VNC_SUBTLV_TYPE_RFPOPTION: + /* Check for short subtlv: drop */ + if (pEncap->length < 3) + break; + + /* Length of zero not valid */ + if (pEncap->value[1] == 0) + break; + hop = XCALLOC(MTYPE_BGP_TEA_OPTIONS, sizeof(struct bgp_tea_options)); assert(hop); hop->type = pEncap->value[0]; hop->length = pEncap->value[1]; + hop->value = XCALLOC(MTYPE_BGP_TEA_OPTIONS_VALUE, pEncap->length - 2); assert(hop->value);
Vulnerability mechanics
Root cause
"Missing input validation in the rfapiRibBi2Ri() function allows for a Denial of Service via crafted BGP UPDATE messages."
Attack vector
An attacker can trigger this vulnerability by sending a crafted BGP UPDATE message to the FRRouting system. This message contains malformed data within the EVPN NLRI, specifically targeting the IP address length checks. The malformed message bypasses existing validation, leading to a crash and Denial of Service.
Affected code
The vulnerability resides in the `rfapiRibBi2Ri()` function within the `rfapi_rib.c` file. Specifically, the issue is in the processing of EVPN routes, including Type-2, Type-3, and Type-4 routes, where IP address lengths are not adequately validated against the packet size.
What the fix does
The patch introduces new validation checks for the IP address length within the EVPN Type-2, Type-3, and Type-4 NLRI processing. For Type-2, it ensures the packet size matches expected lengths based on IP address length. For Type-3 and Type-4, it verifies that the packet size corresponds to the declared IP address length. These checks prevent malformed packets from causing unexpected behavior and crashing the process.
Preconditions
- inputA crafted BGP UPDATE message with malformed EVPN NLRI data.
Generated on Jun 3, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.