CRITICAL🇵🇱 Wersja polska

CVE-2026-48686

CVSS 9.8pub. 2026-05-26upd. 2026-05-27

FastNetMon Community Edition through 1.2.9 contains a stack-based buffer overflow in the BGP NLRI (Network Layer Reachability Information) decoder. The function decode_bgp_subnet_encoding_ipv4_raw() in src/bgp_protocol.cpp reads prefix_bit_length directly from the BGP packet (line 99) without validating it is <= 32 for IPv4 prefixes. This value is passed to how_much_bytes_we_need_for_storing_certain_subnet_mask() which computes ceil(prefix_bit_length / 8), returning up to 32 bytes for a prefix_bit_length of 255. The result is used as the length argument to memcpy() (line 106), which copies into a 4-byte uint32_t stack variable (prefix_ipv4). This causes a stack buffer overflow of up to 28 bytes, which can be exploited for arbitrary code execution. Additionally, the unvalidated prefix_bit_length is passed to convert_cidr_to_binary_netmask_local_function_copy() (line 111), where a shift of (32 - cidr) with cidr > 32 causes undefined behavior.

🤖 AI Analysis
How it works

The decode_bgp_subnet_encoding_ipv4_raw() function in src/bgp_protocol.cpp reads the prefix_bit_length value directly from the BGP packet without validation that it does not exceed 32 (the maximum IPv4 prefix length). This value is passed to the how_much_bytes_we_need_for_storing_certain_subnet_mask() function, which calculates the number of bytes as ceil(prefix_bit_length / 8) — for a value of 255 it returns 32 bytes. The result is then used as the length argument in a memcpy() call, which copies data into a 4-byte stack variable prefix_ipv4, causing a stack buffer overflow of up to 28 bytes. Additionally, the unvalidated prefix_bit_length value is passed to the convert_cidr_to_binary_netmask_local_function_copy() function, where a bit shift (32 - cidr) for cidr > 32 triggers undefined behavior.

Impact

An attacker can conduct a remote attack without authentication and gain the ability to execute arbitrary code (RCE) in the context of the FastNetMon process, which in practice can mean complete takeover of the system.

Mitigation & patch

Patches available from the vendor should be applied according to the references. Until the update is performed, it is recommended to restrict network access to BGP interfaces only to trusted peers through firewall rules and monitor BGP traffic for anomalous prefix lengths.

Who is affected

FastNetMon Community Edition in versions up to and including 1.2.9

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Pavel Odintsov Fastnetmon

    APP
    Pavel-Odintsov
    ≤ 1.2.9
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEMemory
CWE
References

Related vulnerabilities

CVE-2026-48691CRITICAL9.8PL ✓ten sam produkt

FastNetMon: integer overflow w enkodowaniu BGP AS_PATH prowadzący do heap buffer overflow

CVE-2026-48687CRITICAL9.8PL ✓ten sam produkt

Command injection w pluginie Juniper FastNetMon Community Edition

CVE-2026-48689CRITICAL9.8PL ✓ten sam produkt

FastNetMon: off-by-one heap buffer overflow umożliwiający RCE

CVE-2026-48690HIGH7.1ten sam produkt

FastNetMon Community Edition through 1.2.9 contains an integer overflow vulnerability in the packet capture bu...

CVE-2026-48688HIGH7.5ten sam produkt

FastNetMon Community Edition through 1.2.9 contains multiple out-of-bounds reads in the BGP MP_REACH_NLRI IPv6...