CVE-2026-48689

CRITICAL EPSS 47.6%
Published May 26, 20261mo ago · Modified Jun 17, 20261w ago
9.8 CVSS 3.1
Critical
Find Similar
Published May 26, 2026 1mo ago
Last Modified Jun 17, 2026 1w ago

Description

FastNetMon Community Edition through 1.2.9 contains an off-by-one heap-based buffer overflow in the dynamic_binary_buffer_t class (src/dynamic_binary_buffer.hpp). Five methods (append_dynamic_buffer, append_data_as_pointer, append_data_as_object_ptr, memcpy_from_ptr, memcpy_from_object_ptr) use an incorrect bounds check of the form 'if (offset + length > maximum_internal_storage_size + 1)' instead of the correct 'if (offset + length > maximum_internal_storage_size)'. This allows writing exactly one byte past the end of the heap-allocated buffer. The class is used pervasively in BGP message encoding/decoding, NetFlow template processing, and Flow Spec NLRI construction. An attacker who can send network traffic (NetFlow, sFlow, IPFIX, or BGP) to a FastNetMon instance can trigger this overflow, potentially achieving arbitrary code execution by corrupting heap metadata. Notably, the append_byte() method uses the correct bounds check, confirming the inconsistency.

CVSS Details

Base Score
9.8
Exploitability
3.9
Impact
5.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
47.6% percentile
Exploit & Patch Status
Public Exploit Known
No Patch Available

Weaknesses 3

CWE-122
CWE-193
CWE-787 Out-of-bounds Write Memory Safety

Affected Products 1

VendorProductVersionRange
pavel-odintsovfastnetmon* ≤1.2.9

References 3

  • github.com https://github.com/pavel-odintsov/fastnetmon
    Product
  • github.com https://github.com/pavel-odintsov/fastnetmon/blob/master/src/dynamic_binary_buffer.hpp
    Product
  • lorikeetsecurity.com https://lorikeetsecurity.com/blog/fastnetmon-cve-2026-48689-dynamic-buffer-off-by-one
    ExploitThird Party Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.