VYPR
← All advisories
Unrated severityNVD Advisory· Published May 26, 2026

CVE-2026-48688

CVE-2026-48688

Description

FastNetMon Community Edition through 1.2.9 contains multiple out-of-bounds reads in the BGP MP_REACH_NLRI IPv6 attribute decoder. The function decode_mp_reach_ipv6() in src/bgp_protocol.cpp contains a TODO comment at line 156 explicitly acknowledging 'we should add sanity checks to avoid reads after attribute memory block.' The function casts raw pointers to structure types without verifying sufficient data exists (line 158), uses the attacker-controlled length_of_next_hop field to determine memcpy size (line 181), and computes prefix_length by dereferencing a pointer calculated from multiple attacker-controlled offsets without bounds validation (line 189). The prefix_length is then used to calculate number_of_bytes_required_for_prefix which becomes a memcpy length (line 202) with no check against remaining buffer size.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

FastNetMon Community Edition through 1.2.9 has multiple out-of-bounds reads in BGP MP_REACH_NLRI IPv6 decoder due to missing sanity checks, potentially leading to denial of service or information disclosure.

Vulnerability

In src/bgp_protocol.cpp, the function decode_mp_reach_ipv6() at line 156 contains a TODO comment explicitly acknowledging missing sanity checks. The function casts raw pointers to structure types without verifying sufficient data exists, uses attacker-controlled length_of_next_hop to determine memcpy size, and computes prefix_length from multiple attacker-controlled offsets without bounds validation [1][2][3]. Affected version: FastNetMon Community Edition through 1.2.9.

Exploitation

An attacker with a BGP peer session (e.g., through GoBGP) can send a crafted BGP UPDATE message with a malicious MP_REACH_NLRI attribute for the IPv6 address family. By controlling the length_of_next_hop field and other offsets, the attacker causes memcpy operations to read beyond the attribute's memory block without bounds checks [1].

Impact

Successful exploitation results in out-of-bounds reads from the attribute's memory block. This can lead to a denial of service (crash) or potential information disclosure of adjacent memory. The exact impact depends on the memory layout and the attacker's control over the size and offset fields [1].

Mitigation

As of the publication date (2026-05-26), FastNetMon LTD has not released a fix. The TODO comment remains unresolved in version 1.2.9 and earlier. No workaround is available other than restricting BGP peer sessions to trusted parties or disabling BGP functionality if not needed [1].

References
  1. CVE-2026-48688: FastNetMon BGP MP_REACH_NLRI IPv6 Decoder Has an Acknowledged TODO
  2. GitHub - pavel-odintsov/fastnetmon: Very fast DDoS sensor with sFlow/Netflow/IPFIX/SPAN support
  3. fastnetmon/src/bgp_protocol.cpp at master · pavel-odintsov/fastnetmon

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.