CVE-2026-48685
Description
FastNetMon Community Edition through 1.2.9 has out-of-bounds memory access because it incorrectly parses BGP path attributes with the extended length flag set. In src/bgp_protocol.hpp, the parse_raw_bgp_attribute() function correctly identifies when extended_length_bit is set and sets length_of_length_field to 2, but then reads only a single byte for the attribute value length (attribute_value_length = value[2] at line 173). Per RFC 4271 Section 4.3, when the Extended Length bit is set, the Attribute Length field is two octets and the value should be read as a 16-bit big-endian integer from value[2] and value[3]. As a result, any attribute longer than 255 bytes has its length silently truncated to the low byte (e.g., 300 bytes = 0x012C is read as 0x2C = 44 bytes). The remaining 256 bytes are then misinterpreted as subsequent attributes, causing cascading parse failures and potential out-of-bounds memory access.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
FastNetMon CE ≤1.2.9 truncates extended-length BGP attribute values to one byte, leading to out-of-bounds memory access.
Vulnerability
In FastNetMon Community Edition through version 1.2.9, the parse_raw_bgp_attribute() function in src/bgp_protocol.hpp incorrectly parses BGP path attributes when the Extended Length flag (bit 0x10) is set. Per RFC 4271 Section 4.3, when this flag is set, the Attribute Length field is two octets. The code sets length_of_length_field = 2 correctly but then reads only a single byte for the attribute value length (attribute_value_length = value[2] at line 173), ignoring the second byte. Any attribute longer than 255 bytes has its length silently truncated to the low byte (e.g., 300 bytes = 0x012C is read as 0x2C = 44 bytes). The remaining bytes are misinterpreted as subsequent attributes, causing cascading parse failures and potential out-of-bounds memory access [1][3].
Exploitation
An attacker who can establish a BGP session with the GoBGP daemon that feeds route data to FastNetMon can send crafted UPDATE messages containing BGP path attributes with the Extended Length flag set and a value larger than 255 bytes. No additional authentication is required beyond BGP peering; the attacker must be in a network position to inject BGP routes (i.e., a BGP peer). The vulnerable code path is triggered automatically when FastNetMon processes the received attribute data [1].
Impact
Successful exploitation results in out-of-bounds memory access during attribute parsing. This can lead to a denial-of-service condition (e.g., crash of the FastNetMon process) and potentially information disclosure via memory read beyond intended bounds. The attacker does not gain code execution directly from the out-of-bounds read, but the cascading parse confusion may enable further manipulation of FastNetMon's state [1].
Mitigation
As of the publication date (2026-05-26), no vendor fix has been released [1]. The vulnerable code is in src/bgp_protocol.hpp of FastNetMon Community Edition up to version 1.2.9. Users should apply a local patch to correct the attribute length read: when extended_length_bit is set, read a 16-bit big-endian value from value[2] and value[3]. Alternatively, restrict BGP peering to trusted peers only. No workaround is provided by the vendor, and the issue is not listed in CISA's Known Exploited Vulnerabilities catalog [1][2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.