Frr
by Frrouting
Source repositories
CVEs (44)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-61102 | Hig | 0.00 | 7.5 | 0.00 | Oct 27, 2025 | FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the show_vty_ext_link_adj_sid function at ospf_ext.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted OSPF packet. | ||
| CVE-2025-61101 | Hig | 0.00 | 7.5 | 0.00 | Oct 27, 2025 | FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the show_vty_ext_link_rmt_itf_addr function at ospf_ext.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted OSPF packet. | ||
| CVE-2025-61100 | Hig | 0.00 | 7.5 | 0.00 | Oct 27, 2025 | FRRouting/frr from v2.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the ospf_opaque_lsa_dump function at ospf_opaque.c. This vulnerability allows attackers to cause a Denial of Service (DoS) under specific malformed LSA conditions. | ||
| CVE-2025-61099 | Hig | 0.00 | 7.5 | 0.00 | Oct 27, 2025 | FRRouting/frr from v2.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the opaque_info_detail function at ospf_opaque.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted LS Update packet. | ||
| CVE-2024-34088 | Hig | 0.00 | 7.5 | 0.01 | Apr 30, 2024 | In FRRouting (FRR) through 9.1, it is possible for the get_edge() function in ospf_te.c in the OSPF daemon to return a NULL pointer. In cases where calling functions do not handle the returned NULL value, the OSPF daemon crashes, leading to denial of service. | ||
| CVE-2024-31951 | Med | 0.00 | 6.5 | 0.01 | Apr 7, 2024 | In the Opaque LSA Extended Link parser in FRRouting (FRR) through 9.1, there can be a buffer overflow and daemon crash in ospf_te_parse_ext_link for OSPF LSA packets during an attempt to read Segment Routing Adjacency SID subTLVs (lengths are not validated). | ||
| CVE-2024-31950 | Med | 0.00 | 6.5 | 0.01 | Apr 7, 2024 | In FRRouting (FRR) through 9.1, there can be a buffer overflow and daemon crash in ospf_te_parse_ri for OSPF LSA packets during an attempt to read Segment Routing subTLVs (their size is not validated). | ||
| CVE-2024-31949 | Med | 0.00 | 6.5 | 0.01 | Apr 7, 2024 | In FRRouting (FRR) through 9.1, an infinite loop can occur when receiving a MP/GR capability as a dynamic capability because malformed data results in a pointer not advancing. | ||
| CVE-2024-31948 | Med | 0.00 | 6.5 | 0.01 | Apr 7, 2024 | In FRRouting (FRR) through 9.1, an attacker using a malformed Prefix SID attribute in a BGP UPDATE packet can cause the bgpd daemon to crash. | ||
| CVE-2024-27913 | Med | 0.00 | 6.5 | 0.00 | Feb 28, 2024 | ospf_te_parse_te in ospfd/ospf_te.c in FRRouting (FRR) through 9.1 allows remote attackers to cause a denial of service (ospfd daemon crash) via a malformed OSPF LSA packet, because of an attempted access to a missing attribute field. | ||
| CVE-2023-38407 | Hig | 0.00 | 7.5 | 0.01 | Nov 6, 2023 | bgpd/bgp_label.c in FRRouting (FRR) before 8.5 attempts to read beyond the end of the stream during labeled unicast parsing. | ||
| CVE-2023-38406 | Cri | 0.00 | 9.8 | 0.01 | Nov 6, 2023 | bgpd/bgp_flowspec.c in FRRouting (FRR) before 8.4.3 mishandles an nlri length of zero, aka a "flowspec overflow." | ||
| CVE-2023-47235 | Hig | 0.00 | 7.5 | 0.01 | Nov 3, 2023 | An issue was discovered in FRRouting FRR through 9.0.1. A crash can occur when a malformed BGP UPDATE message with an EOR is processed, because the presence of EOR does not lead to a treat-as-withdraw outcome. | ||
| CVE-2023-47234 | Hig | 0.00 | 7.5 | 0.01 | Nov 3, 2023 | An issue was discovered in FRRouting FRR through 9.0.1. A crash can occur when processing a crafted BGP UPDATE message with a MP_UNREACH_NLRI attribute and additional NLRI data (that lacks mandatory path attributes). | ||
| CVE-2023-46753 | Med | 0.00 | 5.9 | 0.01 | Oct 26, 2023 | An issue was discovered in FRRouting FRR through 9.0.1. A crash can occur for a crafted BGP UPDATE message without mandatory attributes, e.g., one with only an unknown transit attribute. | ||
| CVE-2023-46752 | Med | 0.00 | 5.9 | 0.01 | Oct 26, 2023 | An issue was discovered in FRRouting FRR through 9.0.1. It mishandles malformed MP_REACH_NLRI data, leading to a crash. | ||
| CVE-2023-41909 | Hig | 0.00 | 7.5 | 0.01 | Sep 5, 2023 | An issue was discovered in FRRouting FRR through 9.0. bgp_nlri_parse_flowspec in bgpd/bgp_flowspec.c processes malformed requests with no attributes, leading to a NULL pointer dereference. | ||
| CVE-2023-41361 | Cri | 0.00 | 9.8 | 0.01 | Aug 29, 2023 | An issue was discovered in FRRouting FRR 9.0. bgpd/bgp_open.c does not check for an overly large length of the rcv software version. | ||
| CVE-2023-41360 | Cri | 0.00 | 9.1 | 0.01 | Aug 29, 2023 | An issue was discovered in FRRouting FRR through 9.0. bgpd/bgp_packet.c can read the initial byte of the ORF header in an ahead-of-stream situation. | ||
| CVE-2023-41359 | Cri | 0.00 | 9.1 | 0.01 | Aug 29, 2023 | An issue was discovered in FRRouting FRR through 9.0. There is an out-of-bounds read in bgp_attr_aigp_valid in bgpd/bgp_attr.c because there is no check for the availability of two bytes during AIGP validation. |
- risk 0.00cvss 7.5epss 0.00
FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the show_vty_ext_link_adj_sid function at ospf_ext.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted OSPF packet.
- risk 0.00cvss 7.5epss 0.00
FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the show_vty_ext_link_rmt_itf_addr function at ospf_ext.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted OSPF packet.
- risk 0.00cvss 7.5epss 0.00
FRRouting/frr from v2.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the ospf_opaque_lsa_dump function at ospf_opaque.c. This vulnerability allows attackers to cause a Denial of Service (DoS) under specific malformed LSA conditions.
- risk 0.00cvss 7.5epss 0.00
FRRouting/frr from v2.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the opaque_info_detail function at ospf_opaque.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted LS Update packet.
- risk 0.00cvss 7.5epss 0.01
In FRRouting (FRR) through 9.1, it is possible for the get_edge() function in ospf_te.c in the OSPF daemon to return a NULL pointer. In cases where calling functions do not handle the returned NULL value, the OSPF daemon crashes, leading to denial of service.
- risk 0.00cvss 6.5epss 0.01
In the Opaque LSA Extended Link parser in FRRouting (FRR) through 9.1, there can be a buffer overflow and daemon crash in ospf_te_parse_ext_link for OSPF LSA packets during an attempt to read Segment Routing Adjacency SID subTLVs (lengths are not validated).
- risk 0.00cvss 6.5epss 0.01
In FRRouting (FRR) through 9.1, there can be a buffer overflow and daemon crash in ospf_te_parse_ri for OSPF LSA packets during an attempt to read Segment Routing subTLVs (their size is not validated).
- risk 0.00cvss 6.5epss 0.01
In FRRouting (FRR) through 9.1, an infinite loop can occur when receiving a MP/GR capability as a dynamic capability because malformed data results in a pointer not advancing.
- risk 0.00cvss 6.5epss 0.01
In FRRouting (FRR) through 9.1, an attacker using a malformed Prefix SID attribute in a BGP UPDATE packet can cause the bgpd daemon to crash.
- risk 0.00cvss 6.5epss 0.00
ospf_te_parse_te in ospfd/ospf_te.c in FRRouting (FRR) through 9.1 allows remote attackers to cause a denial of service (ospfd daemon crash) via a malformed OSPF LSA packet, because of an attempted access to a missing attribute field.
- risk 0.00cvss 7.5epss 0.01
bgpd/bgp_label.c in FRRouting (FRR) before 8.5 attempts to read beyond the end of the stream during labeled unicast parsing.
- risk 0.00cvss 9.8epss 0.01
bgpd/bgp_flowspec.c in FRRouting (FRR) before 8.4.3 mishandles an nlri length of zero, aka a "flowspec overflow."
- risk 0.00cvss 7.5epss 0.01
An issue was discovered in FRRouting FRR through 9.0.1. A crash can occur when a malformed BGP UPDATE message with an EOR is processed, because the presence of EOR does not lead to a treat-as-withdraw outcome.
- risk 0.00cvss 7.5epss 0.01
An issue was discovered in FRRouting FRR through 9.0.1. A crash can occur when processing a crafted BGP UPDATE message with a MP_UNREACH_NLRI attribute and additional NLRI data (that lacks mandatory path attributes).
- risk 0.00cvss 5.9epss 0.01
An issue was discovered in FRRouting FRR through 9.0.1. A crash can occur for a crafted BGP UPDATE message without mandatory attributes, e.g., one with only an unknown transit attribute.
- risk 0.00cvss 5.9epss 0.01
An issue was discovered in FRRouting FRR through 9.0.1. It mishandles malformed MP_REACH_NLRI data, leading to a crash.
- risk 0.00cvss 7.5epss 0.01
An issue was discovered in FRRouting FRR through 9.0. bgp_nlri_parse_flowspec in bgpd/bgp_flowspec.c processes malformed requests with no attributes, leading to a NULL pointer dereference.
- risk 0.00cvss 9.8epss 0.01
An issue was discovered in FRRouting FRR 9.0. bgpd/bgp_open.c does not check for an overly large length of the rcv software version.
- risk 0.00cvss 9.1epss 0.01
An issue was discovered in FRRouting FRR through 9.0. bgpd/bgp_packet.c can read the initial byte of the ORF header in an ahead-of-stream situation.
- risk 0.00cvss 9.1epss 0.01
An issue was discovered in FRRouting FRR through 9.0. There is an out-of-bounds read in bgp_attr_aigp_valid in bgpd/bgp_attr.c because there is no check for the availability of two bytes during AIGP validation.
Page 2 of 3