CVE-2026-28532

MEDIUM EPSS 13.1%
Published Apr 30, 20262mo ago · Modified Jun 17, 20261w ago
6.0 CVSS 4.0
Medium
Find Similar
Published Apr 30, 2026 2mo ago
Last Modified Jun 17, 2026 1w ago

Description

FRRouting before 10.5.3 contains an integer overflow vulnerability in seven OSPF Traffic Engineering and Segment Routing TLV parser functions where a uint16_t accumulator variable truncates uint32_t values returned by the TLV_SIZE() macro, causing the loop termination condition to fail while pointer advancement continues unchecked. Attackers with an established OSPF adjacency can send a crafted LS Update packet with a malicious Type 10 or Type 11 Opaque LSA to trigger out-of-bounds memory reads and crash all affected routers in the OSPF area or autonomous system.

CVSS Details

Base Score
6.0
Exploitability
Impact
Vector string
CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Adjacent
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
13.1% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 2

CWE-125 Out-of-bounds Read Memory Safety
CWE-190 Integer Overflow or Wraparound Numeric Error

Affected Products 1

VendorProductVersionRange
frroutingfrrouting* <10.5.3

References 4

  • github.com https://github.com/FRRouting/frr/commit/f098decf02987fbf1c891766c1516ac832adadfd
    Patch
  • github.com https://github.com/FRRouting/frr/pull/21002
    Issue TrackingPatch
  • github.com https://github.com/FRRouting/frr/releases/tag/frr-10.5.3
    Release Notes
  • vulncheck.com https://www.vulncheck.com/advisories/frrouting-integer-overflow-in-ospf-tlv-parser-functions
    Third Party Advisory

Remediation

  • github.com https://github.com/FRRouting/frr/commit/f098decf02987fbf1c891766c1516ac832adadfd
    Patch
  • github.com https://github.com/FRRouting/frr/pull/21002
    Issue TrackingPatch