VYPR
← All advisories
Unrated severityNVD Advisory· Published May 26, 2026

CVE-2026-48684

CVE-2026-48684

Description

FastNetMon Community Edition through 1.2.9 contains an out-of-bounds read in the NetFlow v9 options template parser. In process_netflow_v9_options_template() (src/netflow_plugin/netflow_v9_collector.cpp), the scope parsing loop (lines 224-229) iterates until scopes_offset reaches the attacker-controlled option_scope_length value, reading netflow9_template_flowset_record_t structures at each step. No bounds check validates that (zone_address + scopes_offset + sizeof(record)) stays within the flowset. The same issue affects the options field loop (lines 241-257) with option_length. Furthermore, option_scope_length is not validated to be a multiple of sizeof(netflow9_template_flowset_record_t), potentially causing misaligned reads. An attacker can trigger reads past the end of the UDP packet buffer.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

FastNetMon Community Edition ≤1.2.9 has an out-of-bounds read in NetFlow v9 options template parser due to missing bounds checks on attacker-controlled length fields.

Vulnerability

CVE-2026-48684 affects FastNetMon Community Edition through 1.2.9. In process_netflow_v9_options_template() in netflow_v9_collector.cpp [3], two inner loops parse the scope and option fields of NetFlow v9 options templates. The loops iterate until an attacker-controlled length (option_scope_length and option_length) is reached, but there is no check that each read of a netflow9_template_flowset_record_t structure stays within the received UDP packet buffer. Additionally, option_scope_length is not validated to be a multiple of the structure size, leading to potential misaligned reads [1].

Exploitation

An attacker sends a crafted NetFlow v9 UDP packet (default port 2055) to a FastNetMon sensor. The attacker controls the option_scope_length and option_length fields in the options template flowset. The scope and option loops will read past the end of the packet buffer if the lengths exceed the flowset's size. No authentication or special privileges are required [1].

Impact

Successful exploitation triggers an out-of-bounds read that can crash the FastNetMon process (denial of service). Depending on memory layout, it may also lead to information disclosure, but the primary risk is service disruption [1].

Mitigation

As of May 23, 2026, no vendor response or fix has been observed [1]. Users should monitor for updates from FastNetMon LTD. Until a patch is available, consider applying network ACLs to restrict access to the NetFlow UDP port (default 2055) to trusted exporters only [1].

References
  1. CVE-2026-48684: FastNetMon NetFlow v9 Options Template Parser Walks Off the Packet
  2. fastnetmon/src/netflow_plugin/netflow_v9_collector.cpp at master · pavel-odintsov/fastnetmon

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.