rpm package
opensuse/frr&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/frr&distro=openSUSE%20Tumbleweed
Vulnerabilities (35)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-37459 | Hig | 7.5 | < 10.6.1-1.1 | 10.6.1-1.1 | May 4, 2026 | An integer underflow in FRRouting (FRR) stable/10.0 to stable/10.6 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP UPDATE message. | |
| CVE-2026-37458 | Med | 6.5 | < 10.6.1-1.1 | 10.6.1-1.1 | May 4, 2026 | Missing input validation in the MP_REACH_NLRI component of FRRouting (FRR) stable/10.0 to stable/10.6 allows authenticated attackers to cause a Denial of Service (DoS) via supplying a crafted UPDATE message. | |
| CVE-2026-37457 | Hig | 7.5 | < 10.6.1-1.1 | 10.6.1-1.1 | May 1, 2026 | An off-by-one out-of-bounds write vulnerability in the bgp_flowspec_op_decode() function (bgpd/bgp_flowspec_util.c) of FRRouting (FRR) stable/10.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted FlowSpec component. | |
| CVE-2026-28532 | Med | 6.5 | < 10.6.1-1.1 | 10.6.1-1.1 | Apr 30, 2026 | FRRouting before 10.5.3 contains an integer overflow vulnerability in seven OSPF Traffic Engineering and Segment Routing TLV parser functions where a uint16_t accumulator variable truncates uint32_t values returned by the TLV_SIZE() macro, causing the loop termination condition t | |
| CVE-2026-5107 | Med | 4.2 | < 10.5.1-3.1 | 10.5.1-3.1 | Mar 30, 2026 | A vulnerability has been found in FRRouting FRR up to 10.5.1. This affects the function process_type2_route of the file bgpd/bgp_evpn.c of the component EVPN Type-2 Route Handler. The manipulation leads to improper access controls. The attack can be initiated remotely. The attack | |
| CVE-2025-61104 | — | < 10.2.1-4.1 | 10.2.1-4.1 | Oct 28, 2025 | FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the show_vty_unknown_tlv function at ospf_ext.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted OSPF packet. | ||
| CVE-2025-61100 | — | < 10.2.1-4.1 | 10.2.1-4.1 | Oct 27, 2025 | FRRouting/frr from v2.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the ospf_opaque_lsa_dump function at ospf_opaque.c. This vulnerability allows attackers to cause a Denial of Service (DoS) under specific malformed LSA conditions. | ||
| CVE-2025-61099 | — | < 10.2.1-4.1 | 10.2.1-4.1 | Oct 27, 2025 | FRRouting/frr from v2.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the opaque_info_detail function at ospf_opaque.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted LS Update packet. | ||
| CVE-2024-55553 | Hig | 7.5 | < 10.2.1-1.1 | 10.2.1-1.1 | Jan 6, 2025 | In FRRouting (FRR) before 10.3 from 6.0 onward, all routes are re-validated if the total size of an update received via RTR exceeds the internal socket's buffer size, default 4K on most OSes. An attacker can use this to trigger re-parsing of the RIB for FRR routers using RTR by c | |
| CVE-2024-44070 | — | < 10.0.1-2.1 | 10.0.1-2.1 | Aug 19, 2024 | An issue was discovered in FRRouting (FRR) through 10.1. bgp_attr_encap in bgpd/bgp_attr.c does not check the actual remaining stream length before taking the TLV value. | ||
| CVE-2024-34088 | — | < 8.4-12.1 | 8.4-12.1 | Apr 30, 2024 | In FRRouting (FRR) through 9.1, it is possible for the get_edge() function in ospf_te.c in the OSPF daemon to return a NULL pointer. In cases where calling functions do not handle the returned NULL value, the OSPF daemon crashes, leading to denial of service. | ||
| CVE-2024-31951 | — | < 8.4-12.1 | 8.4-12.1 | Apr 7, 2024 | In the Opaque LSA Extended Link parser in FRRouting (FRR) through 9.1, there can be a buffer overflow and daemon crash in ospf_te_parse_ext_link for OSPF LSA packets during an attempt to read Segment Routing Adjacency SID subTLVs (lengths are not validated). | ||
| CVE-2024-31950 | — | < 8.4-12.1 | 8.4-12.1 | Apr 7, 2024 | In FRRouting (FRR) through 9.1, there can be a buffer overflow and daemon crash in ospf_te_parse_ri for OSPF LSA packets during an attempt to read Segment Routing subTLVs (their size is not validated). | ||
| CVE-2024-31948 | — | < 8.4-10.1 | 8.4-10.1 | Apr 7, 2024 | In FRRouting (FRR) through 9.1, an attacker using a malformed Prefix SID attribute in a BGP UPDATE packet can cause the bgpd daemon to crash. | ||
| CVE-2024-27913 | — | < 8.4-11.1 | 8.4-11.1 | Feb 28, 2024 | ospf_te_parse_te in ospfd/ospf_te.c in FRRouting (FRR) through 9.1 allows remote attackers to cause a denial of service (ospfd daemon crash) via a malformed OSPF LSA packet, because of an attempted access to a missing attribute field. | ||
| CVE-2023-38407 | — | < 8.4-8.1 | 8.4-8.1 | Nov 6, 2023 | bgpd/bgp_label.c in FRRouting (FRR) before 8.5 attempts to read beyond the end of the stream during labeled unicast parsing. | ||
| CVE-2023-38406 | — | < 8.4-8.1 | 8.4-8.1 | Nov 6, 2023 | bgpd/bgp_flowspec.c in FRRouting (FRR) before 8.4.3 mishandles an nlri length of zero, aka a "flowspec overflow." | ||
| CVE-2023-47235 | — | < 8.4-8.1 | 8.4-8.1 | Nov 3, 2023 | An issue was discovered in FRRouting FRR through 9.0.1. A crash can occur when a malformed BGP UPDATE message with an EOR is processed, because the presence of EOR does not lead to a treat-as-withdraw outcome. | ||
| CVE-2023-47234 | — | < 8.4-8.1 | 8.4-8.1 | Nov 3, 2023 | An issue was discovered in FRRouting FRR through 9.0.1. A crash can occur when processing a crafted BGP UPDATE message with a MP_UNREACH_NLRI attribute and additional NLRI data (that lacks mandatory path attributes). | ||
| CVE-2023-46753 | — | < 8.4-7.1 | 8.4-7.1 | Oct 26, 2023 | An issue was discovered in FRRouting FRR through 9.0.1. A crash can occur for a crafted BGP UPDATE message without mandatory attributes, e.g., one with only an unknown transit attribute. |
- affected < 10.6.1-1.1fixed 10.6.1-1.1
An integer underflow in FRRouting (FRR) stable/10.0 to stable/10.6 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP UPDATE message.
- affected < 10.6.1-1.1fixed 10.6.1-1.1
Missing input validation in the MP_REACH_NLRI component of FRRouting (FRR) stable/10.0 to stable/10.6 allows authenticated attackers to cause a Denial of Service (DoS) via supplying a crafted UPDATE message.
- affected < 10.6.1-1.1fixed 10.6.1-1.1
An off-by-one out-of-bounds write vulnerability in the bgp_flowspec_op_decode() function (bgpd/bgp_flowspec_util.c) of FRRouting (FRR) stable/10.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted FlowSpec component.
- affected < 10.6.1-1.1fixed 10.6.1-1.1
FRRouting before 10.5.3 contains an integer overflow vulnerability in seven OSPF Traffic Engineering and Segment Routing TLV parser functions where a uint16_t accumulator variable truncates uint32_t values returned by the TLV_SIZE() macro, causing the loop termination condition t
- affected < 10.5.1-3.1fixed 10.5.1-3.1
A vulnerability has been found in FRRouting FRR up to 10.5.1. This affects the function process_type2_route of the file bgpd/bgp_evpn.c of the component EVPN Type-2 Route Handler. The manipulation leads to improper access controls. The attack can be initiated remotely. The attack
- CVE-2025-61104Oct 28, 2025affected < 10.2.1-4.1fixed 10.2.1-4.1
FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the show_vty_unknown_tlv function at ospf_ext.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted OSPF packet.
- CVE-2025-61100Oct 27, 2025affected < 10.2.1-4.1fixed 10.2.1-4.1
FRRouting/frr from v2.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the ospf_opaque_lsa_dump function at ospf_opaque.c. This vulnerability allows attackers to cause a Denial of Service (DoS) under specific malformed LSA conditions.
- CVE-2025-61099Oct 27, 2025affected < 10.2.1-4.1fixed 10.2.1-4.1
FRRouting/frr from v2.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the opaque_info_detail function at ospf_opaque.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted LS Update packet.
- affected < 10.2.1-1.1fixed 10.2.1-1.1
In FRRouting (FRR) before 10.3 from 6.0 onward, all routes are re-validated if the total size of an update received via RTR exceeds the internal socket's buffer size, default 4K on most OSes. An attacker can use this to trigger re-parsing of the RIB for FRR routers using RTR by c
- CVE-2024-44070Aug 19, 2024affected < 10.0.1-2.1fixed 10.0.1-2.1
An issue was discovered in FRRouting (FRR) through 10.1. bgp_attr_encap in bgpd/bgp_attr.c does not check the actual remaining stream length before taking the TLV value.
- CVE-2024-34088Apr 30, 2024affected < 8.4-12.1fixed 8.4-12.1
In FRRouting (FRR) through 9.1, it is possible for the get_edge() function in ospf_te.c in the OSPF daemon to return a NULL pointer. In cases where calling functions do not handle the returned NULL value, the OSPF daemon crashes, leading to denial of service.
- CVE-2024-31951Apr 7, 2024affected < 8.4-12.1fixed 8.4-12.1
In the Opaque LSA Extended Link parser in FRRouting (FRR) through 9.1, there can be a buffer overflow and daemon crash in ospf_te_parse_ext_link for OSPF LSA packets during an attempt to read Segment Routing Adjacency SID subTLVs (lengths are not validated).
- CVE-2024-31950Apr 7, 2024affected < 8.4-12.1fixed 8.4-12.1
In FRRouting (FRR) through 9.1, there can be a buffer overflow and daemon crash in ospf_te_parse_ri for OSPF LSA packets during an attempt to read Segment Routing subTLVs (their size is not validated).
- CVE-2024-31948Apr 7, 2024affected < 8.4-10.1fixed 8.4-10.1
In FRRouting (FRR) through 9.1, an attacker using a malformed Prefix SID attribute in a BGP UPDATE packet can cause the bgpd daemon to crash.
- CVE-2024-27913Feb 28, 2024affected < 8.4-11.1fixed 8.4-11.1
ospf_te_parse_te in ospfd/ospf_te.c in FRRouting (FRR) through 9.1 allows remote attackers to cause a denial of service (ospfd daemon crash) via a malformed OSPF LSA packet, because of an attempted access to a missing attribute field.
- CVE-2023-38407Nov 6, 2023affected < 8.4-8.1fixed 8.4-8.1
bgpd/bgp_label.c in FRRouting (FRR) before 8.5 attempts to read beyond the end of the stream during labeled unicast parsing.
- CVE-2023-38406Nov 6, 2023affected < 8.4-8.1fixed 8.4-8.1
bgpd/bgp_flowspec.c in FRRouting (FRR) before 8.4.3 mishandles an nlri length of zero, aka a "flowspec overflow."
- CVE-2023-47235Nov 3, 2023affected < 8.4-8.1fixed 8.4-8.1
An issue was discovered in FRRouting FRR through 9.0.1. A crash can occur when a malformed BGP UPDATE message with an EOR is processed, because the presence of EOR does not lead to a treat-as-withdraw outcome.
- CVE-2023-47234Nov 3, 2023affected < 8.4-8.1fixed 8.4-8.1
An issue was discovered in FRRouting FRR through 9.0.1. A crash can occur when processing a crafted BGP UPDATE message with a MP_UNREACH_NLRI attribute and additional NLRI data (that lacks mandatory path attributes).
- CVE-2023-46753Oct 26, 2023affected < 8.4-7.1fixed 8.4-7.1
An issue was discovered in FRRouting FRR through 9.0.1. A crash can occur for a crafted BGP UPDATE message without mandatory attributes, e.g., one with only an unknown transit attribute.
Page 1 of 2