Vendor CVEs
Frrouting
All CVEs
51 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-15865 | Hig | 0.49 | 7.5 | 0.02 | Nov 8, 2017 | bgpd in FRRouting (FRR) before 2.0.2 and 3.x before 3.0.2, as used in Cumulus Linux before 3.4.3 and other products, allows remote attackers to obtain sensitive information via a malformed BGP UPDATE packet from a connected peer, which triggers transmission of up to a few… | ||
| CVE-2026-37460 | Hig | 0.42 | 7.5 | 0.00 | Jun 3, 2026 | Missing input validation in the rfapiRibBi2Ri() function (rfapi_rib.c) of FRRouting (FRR) stable/10.0 to stable/10.6 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP UPDATE message. | ||
| CVE-2026-37459 | Hig | 0.42 | 7.5 | 0.00 | May 4, 2026 | An integer underflow in FRRouting (FRR) stable/10.0 to stable/10.6 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP UPDATE message. | ||
| CVE-2026-37457 | Hig | 0.42 | 7.5 | 0.00 | May 1, 2026 | An off-by-one out-of-bounds write vulnerability in the bgp_flowspec_op_decode() function (bgpd/bgp_flowspec_util.c) of FRRouting (FRR) stable/10.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted FlowSpec component. | ||
| CVE-2024-55553 | Hig | 0.42 | 7.5 | 0.01 | Jan 6, 2025 | In FRRouting (FRR) before 10.3 from 6.0 onward, all routes are re-validated if the total size of an update received via RTR exceeds the internal socket's buffer size, default 4K on most OSes. An attacker can use this to trigger re-parsing of the RIB for FRR routers using RTR by… | ||
| CVE-2026-37458 | Med | 0.35 | 6.5 | 0.00 | May 4, 2026 | Missing input validation in the MP_REACH_NLRI component of FRRouting (FRR) stable/10.0 to stable/10.6 allows authenticated attackers to cause a Denial of Service (DoS) via supplying a crafted UPDATE message. | ||
| CVE-2026-28532 | Med | 0.35 | 6.5 | 0.00 | Apr 30, 2026 | FRRouting before 10.5.3 contains an integer overflow vulnerability in seven OSPF Traffic Engineering and Segment Routing TLV parser functions where a uint16_t accumulator variable truncates uint32_t values returned by the TLV_SIZE() macro, causing the loop termination condition… | ||
| CVE-2026-5107 | Med | 0.20 | 4.2 | 0.00 | Mar 30, 2026 | A vulnerability has been found in FRRouting FRR up to 10.5.1. This affects the function process_type2_route of the file bgpd/bgp_evpn.c of the component EVPN Type-2 Route Handler. The manipulation leads to improper access controls. The attack can be initiated remotely. The… | ||
| CVE-2025-61107 | 0.00 | — | 0.01 | Oct 28, 2025 | FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the show_vty_ext_pref_pref_sid function at ospf_ext.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted LSA Update packet. | |||
| CVE-2025-61104 | 0.00 | — | 0.01 | Oct 28, 2025 | FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the show_vty_unknown_tlv function at ospf_ext.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted OSPF packet. | |||
| CVE-2025-61103 | 0.00 | — | 0.01 | Oct 28, 2025 | FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the show_vty_ext_link_lan_adj_sid function at ospf_ext.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted OSPF packet. | |||
| CVE-2025-61106 | 0.00 | — | 0.01 | Oct 28, 2025 | FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the show_vty_ext_pref_pref_sid function at ospf_ext.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted OSPF packet. | |||
| CVE-2025-61101 | 0.00 | — | 0.00 | Oct 27, 2025 | FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the show_vty_ext_link_rmt_itf_addr function at ospf_ext.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted OSPF packet. | |||
| CVE-2025-61100 | 0.00 | — | 0.00 | Oct 27, 2025 | FRRouting/frr from v2.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the ospf_opaque_lsa_dump function at ospf_opaque.c. This vulnerability allows attackers to cause a Denial of Service (DoS) under specific malformed LSA conditions. | |||
| CVE-2025-61105 | 0.00 | — | 0.00 | Oct 27, 2025 | FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the show_vty_link_info function at ospf_ext.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted OSPF packet. | |||
| CVE-2025-61099 | 0.00 | — | 0.00 | Oct 27, 2025 | FRRouting/frr from v2.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the opaque_info_detail function at ospf_opaque.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted LS Update packet. | |||
| CVE-2025-61102 | 0.00 | — | 0.00 | Oct 27, 2025 | FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the show_vty_ext_link_adj_sid function at ospf_ext.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted OSPF packet. | |||
| CVE-2024-44070 | 0.00 | — | 0.01 | Aug 19, 2024 | An issue was discovered in FRRouting (FRR) through 10.1. bgp_attr_encap in bgpd/bgp_attr.c does not check the actual remaining stream length before taking the TLV value. | |||
| CVE-2024-34088 | 0.00 | — | 0.01 | Apr 30, 2024 | In FRRouting (FRR) through 9.1, it is possible for the get_edge() function in ospf_te.c in the OSPF daemon to return a NULL pointer. In cases where calling functions do not handle the returned NULL value, the OSPF daemon crashes, leading to denial of service. | |||
| CVE-2024-31951 | 0.00 | — | 0.01 | Apr 7, 2024 | In the Opaque LSA Extended Link parser in FRRouting (FRR) through 9.1, there can be a buffer overflow and daemon crash in ospf_te_parse_ext_link for OSPF LSA packets during an attempt to read Segment Routing Adjacency SID subTLVs (lengths are not validated). | |||
| CVE-2024-31950 | 0.00 | — | 0.01 | Apr 7, 2024 | In FRRouting (FRR) through 9.1, there can be a buffer overflow and daemon crash in ospf_te_parse_ri for OSPF LSA packets during an attempt to read Segment Routing subTLVs (their size is not validated). | |||
| CVE-2024-31949 | 0.00 | — | 0.01 | Apr 7, 2024 | In FRRouting (FRR) through 9.1, an infinite loop can occur when receiving a MP/GR capability as a dynamic capability because malformed data results in a pointer not advancing. | |||
| CVE-2024-31948 | 0.00 | — | 0.01 | Apr 7, 2024 | In FRRouting (FRR) through 9.1, an attacker using a malformed Prefix SID attribute in a BGP UPDATE packet can cause the bgpd daemon to crash. | |||
| CVE-2024-27913 | 0.00 | — | 0.00 | Feb 28, 2024 | ospf_te_parse_te in ospfd/ospf_te.c in FRRouting (FRR) through 9.1 allows remote attackers to cause a denial of service (ospfd daemon crash) via a malformed OSPF LSA packet, because of an attempted access to a missing attribute field. | |||
| CVE-2023-38406 | 0.00 | — | 0.01 | Nov 6, 2023 | bgpd/bgp_flowspec.c in FRRouting (FRR) before 8.4.3 mishandles an nlri length of zero, aka a "flowspec overflow." | |||
| CVE-2023-38407 | 0.00 | — | 0.01 | Nov 6, 2023 | bgpd/bgp_label.c in FRRouting (FRR) before 8.5 attempts to read beyond the end of the stream during labeled unicast parsing. | |||
| CVE-2023-47235 | 0.00 | — | 0.01 | Nov 3, 2023 | An issue was discovered in FRRouting FRR through 9.0.1. A crash can occur when a malformed BGP UPDATE message with an EOR is processed, because the presence of EOR does not lead to a treat-as-withdraw outcome. | |||
| CVE-2023-47234 | 0.00 | — | 0.01 | Nov 3, 2023 | An issue was discovered in FRRouting FRR through 9.0.1. A crash can occur when processing a crafted BGP UPDATE message with a MP_UNREACH_NLRI attribute and additional NLRI data (that lacks mandatory path attributes). | |||
| CVE-2023-46752 | 0.00 | — | 0.01 | Oct 26, 2023 | An issue was discovered in FRRouting FRR through 9.0.1. It mishandles malformed MP_REACH_NLRI data, leading to a crash. | |||
| CVE-2023-46753 | 0.00 | — | 0.01 | Oct 26, 2023 | An issue was discovered in FRRouting FRR through 9.0.1. A crash can occur for a crafted BGP UPDATE message without mandatory attributes, e.g., one with only an unknown transit attribute. | |||
| CVE-2023-41909 | 0.00 | — | 0.01 | Sep 5, 2023 | An issue was discovered in FRRouting FRR through 9.0. bgp_nlri_parse_flowspec in bgpd/bgp_flowspec.c processes malformed requests with no attributes, leading to a NULL pointer dereference. | |||
| CVE-2023-41361 | 0.00 | — | 0.01 | Aug 29, 2023 | An issue was discovered in FRRouting FRR 9.0. bgpd/bgp_open.c does not check for an overly large length of the rcv software version. | |||
| CVE-2023-41358 | 0.00 | — | 0.01 | Aug 29, 2023 | An issue was discovered in FRRouting FRR through 9.0. bgpd/bgp_packet.c processes NLRIs if the attribute length is zero. | |||
| CVE-2023-38802 | 0.00 | — | 0.01 | Aug 29, 2023 | FRRouting FRR 7.5.1 through 9.0 and Pica8 PICOS 4.3.3.2 allow a remote attacker to cause a denial of service via a crafted BGP update with a corrupted attribute 23 (Tunnel Encapsulation). | |||
| CVE-2023-41360 | 0.00 | — | 0.01 | Aug 29, 2023 | An issue was discovered in FRRouting FRR through 9.0. bgpd/bgp_packet.c can read the initial byte of the ORF header in an ahead-of-stream situation. | |||
| CVE-2023-41359 | 0.00 | — | 0.01 | Aug 29, 2023 | An issue was discovered in FRRouting FRR through 9.0. There is an out-of-bounds read in bgp_attr_aigp_valid in bgpd/bgp_attr.c because there is no check for the availability of two bytes during AIGP validation. | |||
| CVE-2023-3748 | 0.00 | — | 0.01 | Jul 24, 2023 | A flaw was found in FRRouting when parsing certain babeld unicast hello messages that are intended to be ignored. This issue may allow an attacker to send specially crafted hello messages with the unicast flag set, the interval field set to 0, or any TLV that contains a sub-TLV… | |||
| CVE-2023-31489 | 0.00 | — | 0.01 | May 9, 2023 | An issue found in Frrouting bgpd v.8.4.2 allows a remote attacker to cause a denial of service via the bgp_capability_llgr() function. | |||
| CVE-2022-40302 | 0.00 | — | 0.02 | May 3, 2023 | An issue was discovered in bgpd in FRRouting (FRR) through 8.4. By crafting a BGP OPEN message with an option of type 0xff (Extended Length from RFC 9072), attackers may cause a denial of service (assertion failure and daemon restart, or out-of-bounds read). This is possible… | |||
| CVE-2022-40318 | 0.00 | — | 0.02 | May 3, 2023 | An issue was discovered in bgpd in FRRouting (FRR) through 8.4. By crafting a BGP OPEN message with an option of type 0xff (Extended Length from RFC 9072), attackers may cause a denial of service (assertion failure and daemon restart, or out-of-bounds read). This is possible… | |||
| CVE-2022-43681 | 0.00 | — | 0.02 | May 3, 2023 | An out-of-bounds read exists in the BGP daemon of FRRouting FRR through 8.4. When sending a malformed BGP OPEN message that ends with the option length octet (or the option length word, in case of an extended OPEN message), the FRR code reads of out of the bounds of the packet,… | |||
| CVE-2022-36440 | 0.00 | — | 0.02 | Apr 3, 2023 | A reachable assertion was found in Frrouting frr-bgpd 8.3.0 in the peek_for_as4_capability function. Attackers can maliciously construct BGP open packets and send them to BGP peers running frr-bgpd, resulting in DoS. | |||
| CVE-2022-37032 | 0.00 | — | 0.02 | Sep 19, 2022 | An out-of-bounds read in the BGP daemon of FRRouting FRR before 8.4 may lead to a segmentation fault and denial of service. This occurs in bgp_capability_msg_parse in bgpd/bgp_packet.c. | |||
| CVE-2022-37035 | 0.00 | — | 0.02 | Aug 2, 2022 | An issue was discovered in bgpd in FRRouting (FRR) 8.3. In bgp_notify_send_with_data() and bgp_process_packet() in bgp_packet.c, there is a possible use-after-free due to a race condition. This could lead to Remote Code Execution or Information Disclosure by sending crafted BGP… | |||
| CVE-2022-26129 | 0.00 | — | 0.01 | Mar 3, 2022 | Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to wrong checks on the subtlv length in the functions, parse_hello_subtlv, parse_ihu_subtlv, and parse_update_subtlv in babeld/message.c. | |||
| CVE-2022-26128 | 0.00 | — | 0.01 | Mar 3, 2022 | A buffer overflow vulnerability exists in FRRouting through 8.1.0 due to a wrong check on the input packet length in the babel_packet_examin function in babeld/message.c. | |||
| CVE-2022-26127 | 0.00 | — | 0.01 | Mar 3, 2022 | A buffer overflow vulnerability exists in FRRouting through 8.1.0 due to missing a check on the input packet length in the babel_packet_examin function in babeld/message.c. | |||
| CVE-2022-26126 | 0.00 | — | 0.01 | Mar 3, 2022 | Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to the use of strdup with a non-zero-terminated binary string in isis_nb_notifications.c. | |||
| CVE-2022-26125 | 0.00 | — | 0.01 | Mar 3, 2022 | Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to wrong checks on the input packet length in isisd/isis_tlvs.c. | |||
| CVE-2020-12831 | 0.00 | — | 0.01 | May 13, 2020 | An issue was discovered in FRRouting FRR (aka Free Range Routing) through 7.3.1. When using the split-config feature, the init script creates an empty config file with world-readable default permissions, leading to a possible information leak via tools/frr.in and… |
- risk 0.49cvss 7.5epss 0.02
bgpd in FRRouting (FRR) before 2.0.2 and 3.x before 3.0.2, as used in Cumulus Linux before 3.4.3 and other products, allows remote attackers to obtain sensitive information via a malformed BGP UPDATE packet from a connected peer, which triggers transmission of up to a few…
- risk 0.42cvss 7.5epss 0.00
Missing input validation in the rfapiRibBi2Ri() function (rfapi_rib.c) of FRRouting (FRR) stable/10.0 to stable/10.6 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP UPDATE message.
- risk 0.42cvss 7.5epss 0.00
An integer underflow in FRRouting (FRR) stable/10.0 to stable/10.6 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP UPDATE message.
- risk 0.42cvss 7.5epss 0.00
An off-by-one out-of-bounds write vulnerability in the bgp_flowspec_op_decode() function (bgpd/bgp_flowspec_util.c) of FRRouting (FRR) stable/10.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted FlowSpec component.
- risk 0.42cvss 7.5epss 0.01
In FRRouting (FRR) before 10.3 from 6.0 onward, all routes are re-validated if the total size of an update received via RTR exceeds the internal socket's buffer size, default 4K on most OSes. An attacker can use this to trigger re-parsing of the RIB for FRR routers using RTR by…
- risk 0.35cvss 6.5epss 0.00
Missing input validation in the MP_REACH_NLRI component of FRRouting (FRR) stable/10.0 to stable/10.6 allows authenticated attackers to cause a Denial of Service (DoS) via supplying a crafted UPDATE message.
- risk 0.35cvss 6.5epss 0.00
FRRouting before 10.5.3 contains an integer overflow vulnerability in seven OSPF Traffic Engineering and Segment Routing TLV parser functions where a uint16_t accumulator variable truncates uint32_t values returned by the TLV_SIZE() macro, causing the loop termination condition…
- risk 0.20cvss 4.2epss 0.00
A vulnerability has been found in FRRouting FRR up to 10.5.1. This affects the function process_type2_route of the file bgpd/bgp_evpn.c of the component EVPN Type-2 Route Handler. The manipulation leads to improper access controls. The attack can be initiated remotely. The…
- CVE-2025-61107Oct 28, 2025risk 0.00cvss —epss 0.01
FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the show_vty_ext_pref_pref_sid function at ospf_ext.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted LSA Update packet.
- CVE-2025-61104Oct 28, 2025risk 0.00cvss —epss 0.01
FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the show_vty_unknown_tlv function at ospf_ext.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted OSPF packet.
- CVE-2025-61103Oct 28, 2025risk 0.00cvss —epss 0.01
FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the show_vty_ext_link_lan_adj_sid function at ospf_ext.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted OSPF packet.
- CVE-2025-61106Oct 28, 2025risk 0.00cvss —epss 0.01
FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the show_vty_ext_pref_pref_sid function at ospf_ext.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted OSPF packet.
- CVE-2025-61101Oct 27, 2025risk 0.00cvss —epss 0.00
FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the show_vty_ext_link_rmt_itf_addr function at ospf_ext.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted OSPF packet.
- CVE-2025-61100Oct 27, 2025risk 0.00cvss —epss 0.00
FRRouting/frr from v2.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the ospf_opaque_lsa_dump function at ospf_opaque.c. This vulnerability allows attackers to cause a Denial of Service (DoS) under specific malformed LSA conditions.
- CVE-2025-61105Oct 27, 2025risk 0.00cvss —epss 0.00
FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the show_vty_link_info function at ospf_ext.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted OSPF packet.
- CVE-2025-61099Oct 27, 2025risk 0.00cvss —epss 0.00
FRRouting/frr from v2.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the opaque_info_detail function at ospf_opaque.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted LS Update packet.
- CVE-2025-61102Oct 27, 2025risk 0.00cvss —epss 0.00
FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the show_vty_ext_link_adj_sid function at ospf_ext.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted OSPF packet.
- CVE-2024-44070Aug 19, 2024risk 0.00cvss —epss 0.01
An issue was discovered in FRRouting (FRR) through 10.1. bgp_attr_encap in bgpd/bgp_attr.c does not check the actual remaining stream length before taking the TLV value.
- CVE-2024-34088Apr 30, 2024risk 0.00cvss —epss 0.01
In FRRouting (FRR) through 9.1, it is possible for the get_edge() function in ospf_te.c in the OSPF daemon to return a NULL pointer. In cases where calling functions do not handle the returned NULL value, the OSPF daemon crashes, leading to denial of service.
- CVE-2024-31951Apr 7, 2024risk 0.00cvss —epss 0.01
In the Opaque LSA Extended Link parser in FRRouting (FRR) through 9.1, there can be a buffer overflow and daemon crash in ospf_te_parse_ext_link for OSPF LSA packets during an attempt to read Segment Routing Adjacency SID subTLVs (lengths are not validated).
- CVE-2024-31950Apr 7, 2024risk 0.00cvss —epss 0.01
In FRRouting (FRR) through 9.1, there can be a buffer overflow and daemon crash in ospf_te_parse_ri for OSPF LSA packets during an attempt to read Segment Routing subTLVs (their size is not validated).
- CVE-2024-31949Apr 7, 2024risk 0.00cvss —epss 0.01
In FRRouting (FRR) through 9.1, an infinite loop can occur when receiving a MP/GR capability as a dynamic capability because malformed data results in a pointer not advancing.
- CVE-2024-31948Apr 7, 2024risk 0.00cvss —epss 0.01
In FRRouting (FRR) through 9.1, an attacker using a malformed Prefix SID attribute in a BGP UPDATE packet can cause the bgpd daemon to crash.
- CVE-2024-27913Feb 28, 2024risk 0.00cvss —epss 0.00
ospf_te_parse_te in ospfd/ospf_te.c in FRRouting (FRR) through 9.1 allows remote attackers to cause a denial of service (ospfd daemon crash) via a malformed OSPF LSA packet, because of an attempted access to a missing attribute field.
- CVE-2023-38406Nov 6, 2023risk 0.00cvss —epss 0.01
bgpd/bgp_flowspec.c in FRRouting (FRR) before 8.4.3 mishandles an nlri length of zero, aka a "flowspec overflow."
- CVE-2023-38407Nov 6, 2023risk 0.00cvss —epss 0.01
bgpd/bgp_label.c in FRRouting (FRR) before 8.5 attempts to read beyond the end of the stream during labeled unicast parsing.
- CVE-2023-47235Nov 3, 2023risk 0.00cvss —epss 0.01
An issue was discovered in FRRouting FRR through 9.0.1. A crash can occur when a malformed BGP UPDATE message with an EOR is processed, because the presence of EOR does not lead to a treat-as-withdraw outcome.
- CVE-2023-47234Nov 3, 2023risk 0.00cvss —epss 0.01
An issue was discovered in FRRouting FRR through 9.0.1. A crash can occur when processing a crafted BGP UPDATE message with a MP_UNREACH_NLRI attribute and additional NLRI data (that lacks mandatory path attributes).
- CVE-2023-46752Oct 26, 2023risk 0.00cvss —epss 0.01
An issue was discovered in FRRouting FRR through 9.0.1. It mishandles malformed MP_REACH_NLRI data, leading to a crash.
- CVE-2023-46753Oct 26, 2023risk 0.00cvss —epss 0.01
An issue was discovered in FRRouting FRR through 9.0.1. A crash can occur for a crafted BGP UPDATE message without mandatory attributes, e.g., one with only an unknown transit attribute.
- CVE-2023-41909Sep 5, 2023risk 0.00cvss —epss 0.01
An issue was discovered in FRRouting FRR through 9.0. bgp_nlri_parse_flowspec in bgpd/bgp_flowspec.c processes malformed requests with no attributes, leading to a NULL pointer dereference.
- CVE-2023-41361Aug 29, 2023risk 0.00cvss —epss 0.01
An issue was discovered in FRRouting FRR 9.0. bgpd/bgp_open.c does not check for an overly large length of the rcv software version.
- CVE-2023-41358Aug 29, 2023risk 0.00cvss —epss 0.01
An issue was discovered in FRRouting FRR through 9.0. bgpd/bgp_packet.c processes NLRIs if the attribute length is zero.
- CVE-2023-38802Aug 29, 2023risk 0.00cvss —epss 0.01
FRRouting FRR 7.5.1 through 9.0 and Pica8 PICOS 4.3.3.2 allow a remote attacker to cause a denial of service via a crafted BGP update with a corrupted attribute 23 (Tunnel Encapsulation).
- CVE-2023-41360Aug 29, 2023risk 0.00cvss —epss 0.01
An issue was discovered in FRRouting FRR through 9.0. bgpd/bgp_packet.c can read the initial byte of the ORF header in an ahead-of-stream situation.
- CVE-2023-41359Aug 29, 2023risk 0.00cvss —epss 0.01
An issue was discovered in FRRouting FRR through 9.0. There is an out-of-bounds read in bgp_attr_aigp_valid in bgpd/bgp_attr.c because there is no check for the availability of two bytes during AIGP validation.
- CVE-2023-3748Jul 24, 2023risk 0.00cvss —epss 0.01
A flaw was found in FRRouting when parsing certain babeld unicast hello messages that are intended to be ignored. This issue may allow an attacker to send specially crafted hello messages with the unicast flag set, the interval field set to 0, or any TLV that contains a sub-TLV…
- CVE-2023-31489May 9, 2023risk 0.00cvss —epss 0.01
An issue found in Frrouting bgpd v.8.4.2 allows a remote attacker to cause a denial of service via the bgp_capability_llgr() function.
- CVE-2022-40302May 3, 2023risk 0.00cvss —epss 0.02
An issue was discovered in bgpd in FRRouting (FRR) through 8.4. By crafting a BGP OPEN message with an option of type 0xff (Extended Length from RFC 9072), attackers may cause a denial of service (assertion failure and daemon restart, or out-of-bounds read). This is possible…
- CVE-2022-40318May 3, 2023risk 0.00cvss —epss 0.02
An issue was discovered in bgpd in FRRouting (FRR) through 8.4. By crafting a BGP OPEN message with an option of type 0xff (Extended Length from RFC 9072), attackers may cause a denial of service (assertion failure and daemon restart, or out-of-bounds read). This is possible…
- CVE-2022-43681May 3, 2023risk 0.00cvss —epss 0.02
An out-of-bounds read exists in the BGP daemon of FRRouting FRR through 8.4. When sending a malformed BGP OPEN message that ends with the option length octet (or the option length word, in case of an extended OPEN message), the FRR code reads of out of the bounds of the packet,…
- CVE-2022-36440Apr 3, 2023risk 0.00cvss —epss 0.02
A reachable assertion was found in Frrouting frr-bgpd 8.3.0 in the peek_for_as4_capability function. Attackers can maliciously construct BGP open packets and send them to BGP peers running frr-bgpd, resulting in DoS.
- CVE-2022-37032Sep 19, 2022risk 0.00cvss —epss 0.02
An out-of-bounds read in the BGP daemon of FRRouting FRR before 8.4 may lead to a segmentation fault and denial of service. This occurs in bgp_capability_msg_parse in bgpd/bgp_packet.c.
- CVE-2022-37035Aug 2, 2022risk 0.00cvss —epss 0.02
An issue was discovered in bgpd in FRRouting (FRR) 8.3. In bgp_notify_send_with_data() and bgp_process_packet() in bgp_packet.c, there is a possible use-after-free due to a race condition. This could lead to Remote Code Execution or Information Disclosure by sending crafted BGP…
- CVE-2022-26129Mar 3, 2022risk 0.00cvss —epss 0.01
Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to wrong checks on the subtlv length in the functions, parse_hello_subtlv, parse_ihu_subtlv, and parse_update_subtlv in babeld/message.c.
- CVE-2022-26128Mar 3, 2022risk 0.00cvss —epss 0.01
A buffer overflow vulnerability exists in FRRouting through 8.1.0 due to a wrong check on the input packet length in the babel_packet_examin function in babeld/message.c.
- CVE-2022-26127Mar 3, 2022risk 0.00cvss —epss 0.01
A buffer overflow vulnerability exists in FRRouting through 8.1.0 due to missing a check on the input packet length in the babel_packet_examin function in babeld/message.c.
- CVE-2022-26126Mar 3, 2022risk 0.00cvss —epss 0.01
Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to the use of strdup with a non-zero-terminated binary string in isis_nb_notifications.c.
- CVE-2022-26125Mar 3, 2022risk 0.00cvss —epss 0.01
Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to wrong checks on the input packet length in isisd/isis_tlvs.c.
- CVE-2020-12831May 13, 2020risk 0.00cvss —epss 0.01
An issue was discovered in FRRouting FRR (aka Free Range Routing) through 7.3.1. When using the split-config feature, the init script creates an empty config file with world-readable default permissions, leading to a possible information leak via tools/frr.in and…
Page 1 of 2