CVE-2026-49943

Vulnerability

BIRD Internet Routing Daemon through 2.19.0 contains a stack-based buffer overflow in the as_path_match() function within nest/a-path.c. This vulnerability occurs when RFC 8654 BGP Extended Messages are enabled and a BIRD filter evaluates an AS path mask expression. The parse_path() function expands AS_PATH segments from a BGP UPDATE without enforcing a capacity limit, allowing a crafted long AS_PATH to overwrite a fixed-size stack buffer used by as_path_match().

Exploitation

An established BGP peer can trigger this vulnerability by sending a BGP UPDATE message containing a long AS_PATH. This requires RFC 8654 BGP Extended Messages to be enabled and a BIRD filter to be configured to evaluate an AS path mask expression, such as bgp_path ~ [= ... =]. The attacker needs network access to the BIRD daemon to send the malicious BGP UPDATE.

Impact

Successful exploitation of this vulnerability causes a crash of the BIRD Internet Routing Daemon. This denial-of-service condition can disrupt network routing functions managed by the affected BIRD instance.

Mitigation

The supplier's position is that a fix is not being prioritized, as network operators should already be rejecting routes with unusually long attributes [1]. No patched version or specific workaround has been disclosed in the available references. BIRD versions prior to 2.19.0 are affected.