CVE-2025-61107 Overview
A NULL pointer dereference vulnerability has been identified in FRRouting (FRR), the popular open-source routing protocol suite. The vulnerability exists in the show_vty_ext_pref_pref_sid function within ospf_ext.c and affects versions from v4.0 through v10.4.1. This flaw allows remote attackers to cause a Denial of Service (DoS) condition by sending specially crafted LSA (Link State Advertisement) Update packets to vulnerable OSPF daemons.
Critical Impact
Attackers can remotely crash FRRouting OSPF daemons via crafted LSA Update packets, causing network routing disruption without requiring authentication or user interaction.
Affected Products
- FRRouting versions v4.0 through v10.4.1
- Network devices and Linux systems running vulnerable FRRouting OSPF implementations
- Data center and enterprise routing infrastructure utilizing FRR
Discovery Timeline
- 2025-10-28 - CVE-2025-61107 published to NVD
- 2025-10-31 - Last updated in NVD database
Technical Details for CVE-2025-61107
Vulnerability Analysis
This vulnerability is classified as CWE-476 (NULL Pointer Dereference), a memory corruption issue that occurs when the application attempts to use a pointer that has a NULL value as if it were valid. In the context of FRRouting's OSPF implementation, the show_vty_ext_pref_pref_sid function fails to properly validate pointer state before dereferencing, leading to an application crash when processing malformed input.
The vulnerability can be exploited remotely over the network without requiring any authentication or privileges. When an attacker sends a crafted LSA Update packet to a vulnerable FRRouting OSPF daemon, the NULL pointer dereference occurs during packet processing, causing the routing daemon to crash. This results in complete loss of routing functionality for the affected device until the service is restarted.
Root Cause
The root cause of this vulnerability lies in insufficient pointer validation within the show_vty_ext_pref_pref_sid function in the ospf_ext.c source file. The function processes OSPF Extended Prefix SID information but fails to verify that the relevant data structures are properly initialized before attempting to access them. When a crafted LSA Update packet triggers a code path where these structures are NULL, the dereference operation causes an immediate crash.
Attack Vector
The attack vector is network-based and requires no user interaction or authentication. An attacker positioned on the same OSPF routing domain can craft malicious LSA Update packets and send them to vulnerable FRRouting instances. The vulnerability in the show_vty_ext_pref_pref_sid function is triggered when the OSPF daemon attempts to process these malformed packets.
The attack exploits the OSPF protocol's normal packet exchange mechanism. Since OSPF is a link-state routing protocol that relies on LSA exchanges between routers, attackers with network access to OSPF-enabled interfaces can inject malicious LSA Update packets that contain unexpected or malformed Extended Prefix SID data, triggering the NULL pointer dereference condition.
Detection Methods for CVE-2025-61107
Indicators of Compromise
- Unexpected crashes or restarts of the FRRouting OSPF daemon (ospfd) process
- Core dump files indicating segmentation faults in ospf_ext.c or the show_vty_ext_pref_pref_sid function
- System logs showing OSPF daemon termination signals (SIGSEGV)
- Network routing instability or loss of OSPF adjacencies without apparent cause
Detection Strategies
- Monitor system logs for FRRouting process crashes and segmentation faults related to OSPF operations
- Implement network intrusion detection rules to identify anomalous or malformed OSPF LSA Update packets
- Configure process monitoring to alert on unexpected ospfd daemon restarts or terminations
- Analyze packet captures on OSPF-enabled interfaces for unusual LSA packet patterns
Monitoring Recommendations
- Enable detailed logging for FRRouting OSPF daemon operations
- Deploy network monitoring to track OSPF adjacency state changes and identify rapid flapping
- Implement automated alerting for FRRouting service availability and health status
- Review core dumps and crash logs periodically to identify potential exploitation attempts
How to Mitigate CVE-2025-61107
Immediate Actions Required
- Upgrade FRRouting to a patched version beyond v10.4.1 as soon as available
- Apply the security patch from the official FRRouting commit
- Restrict network access to OSPF-enabled interfaces using firewall rules where feasible
- Monitor OSPF daemon stability and implement automatic restart mechanisms as a temporary measure
Patch Information
FRRouting has addressed this vulnerability through a code fix that adds proper NULL pointer validation in the show_vty_ext_pref_pref_sid function. The patch is available in FRRouting Pull Request #19480 with the specific fix committed as fdd957408605d4a1766225630aafc7e6b7c3daf3. Organizations should apply this patch or upgrade to a version that includes this fix.
For technical details and issue tracking, refer to the GitHub issue #19471 and the CVE-2025-61107 analysis.
Workarounds
- Implement access control lists (ACLs) to restrict OSPF traffic to trusted router peers only
- Configure network segmentation to limit exposure of OSPF-enabled interfaces to untrusted networks
- Enable process supervision (systemd, supervisord) to automatically restart the OSPF daemon if it crashes
- Consider temporarily disabling OSPF Extended Prefix SID functionality if operationally feasible
# Example: Restrict OSPF traffic to trusted peers using iptables
iptables -A INPUT -p ospf -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p ospf -j DROP
# Enable automatic restart of FRR services via systemd
systemctl edit frr.service
# Add Restart=always under [Service] section
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
