CVE-2026-48686

Vulnerability

FastNetMon Community Edition through version 1.2.9 contains a stack-based buffer overflow in the BGP NLRI (Network Layer Reachability Information) decoder, specifically in the function decode_bgp_subnet_encoding_ipv4_raw() located in src/bgp_protocol.cpp [1][3]. The function reads a prefix_bit_length value directly from the BGP packet (line 99) without validating that it is ≤ 32 for IPv4 prefixes. This value is passed to how_much_bytes_we_need_for_storing_certain_subnet_mask(), which computes ceil(prefix_bit_length / 8) and can return up to 32 bytes for a prefix_bit_length of 255. The computed byte count is then used as the length argument to memcpy() (line 106), which copies attacker-controlled data into a 4-byte uint32_t stack variable (prefix_ipv4), causing a stack buffer overflow of up to 28 bytes [1]. Additionally, the unvalidated prefix_bit_length is passed to convert_cidr_to_binary_netmask_local_function_copy() (line 111), where a shift of (32 - cidr) with cidr > 32 invokes undefined behavior [1].

Exploitation

An attacker can exploit this vulnerability without authentication by sending a crafted BGP update message to an affected FastNetMon instance that is acting as a BGP peer (e.g., through GoBGP) [1]. The attacker must be able to establish a BGP session and send a malicious NLRI payload. The exploit sequence involves setting the prefix_bit_length to a value greater than 32 (e.g., 255) in the BGP NLRI field, triggering the overflow in memcpy() [1]. The default CMake build of FastNetMon uses no stack canaries, no FORTIFY_SOURCE, and no RELRO, making exploitation more reliable [1].

Impact

Successful exploitation allows an attacker to achieve remote code execution on the target system, gaining full control of the FastNetMon process [1]. The 28-byte overflow is sufficient to overwrite the saved return address and potentially other critical stack data, leading to arbitrary code execution in the context of the FastNetMon application [1]. The CIA impact is high: the attacker can fully compromise confidentiality, integrity, and availability of the affected system.

Mitigation

A patched version has not yet been released; the vulnerability exists in FastNetMon Community Edition up to and including version 1.2.9 [1]. Users should monitor the official GitHub repository [2] for updates. No official workaround is available. As of the publication date, this CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. Until a fix is provided, administrators should restrict BGP peering to trusted peers and consider network segmentation to limit exposure.