CVE-2026-48691

Vulnerability

In FastNetMon Community Edition through 1.2.9, the IPv4UnicastAnnounce::get_attributes() function in src/bgp_protocol.hpp (lines 600-621) stores the AS_PATH attribute length in a uint8_t field [1][3]. This field can only hold values 0-255, so an AS_PATH containing more than 63 ASNs (2 + 64×4 = 258 bytes) causes silent truncation of the length value [1]. The truncated length is used for buffer sizing while the full untruncated data is written, resulting in a heap buffer overflow [1][3].

Exploitation

An attacker with the ability to send crafted BGP UPDATE messages to FastNetMon (via a BGP peer through GoBGP or the gRPC API) can trigger the vulnerable code path when FastNetMon constructs an outgoing BGP UPDATE to announce a blackhole route or forward a route [1]. The attacker needs to include an AS_PATH with more than 63 ASNs, causing the attribute length truncation and subsequent overflow on encode [1]. No authentication or prior access is required beyond BGP peering.

Impact

Successful exploitation results in a heap buffer overflow, which can corrupt adjacent memory [1]. This may lead to denial of service or potentially arbitrary code execution in the context of the FastNetMon process, depending on heap layout and attack sophistication [1].

Mitigation

As of May 26, 2026, no vendor fix has been released; Lorikeet Security notified FastNetMon LTD on April 25, 2026, but no response or patch had been provided as of May 23, 2026 [1]. The vulnerability affects all Community Edition versions through 1.2.9 [1][2]. No workaround is documented. Users should monitor the project’s GitHub repository for a patched release [2].