CVE-2026-37457 Overview
CVE-2026-37457 is an off-by-one out-of-bounds write vulnerability in the bgp_flowspec_op_decode() function located in bgpd/bgp_flowspec_util.c within FRRouting (FRR) stable/10.0. A remote, unauthenticated attacker can trigger the flaw by sending a crafted BGP FlowSpec component to a vulnerable speaker. Successful exploitation causes a Denial of Service (DoS) condition by corrupting memory adjacent to the targeted buffer. The weakness is classified under [CWE-787] (Out-of-bounds Write) and affects the BGP daemon (bgpd) responsible for route exchange in FRR deployments. Because BGP underpins internet and enterprise routing, an unstable bgpd process can disrupt route convergence and network availability.
Critical Impact
A remote, unauthenticated attacker can crash the FRRouting BGP daemon by sending a malformed FlowSpec component, disrupting routing on affected infrastructure.
Affected Products
- FRRouting (FRR) stable/10.0 branch
- Network appliances and Linux distributions bundling vulnerable FRR builds
- Routing platforms relying on bgpd with FlowSpec processing enabled
Discovery Timeline
- 2026-05-01 - CVE-2026-37457 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-37457
Vulnerability Analysis
The defect resides in bgp_flowspec_op_decode(), the routine that parses operator-value pairs inside BGP FlowSpec NLRI components. FlowSpec (RFC 5575) encodes traffic-filtering rules as a sequence of typed components, each containing operator bytes and associated values. During decoding, the function performs an off-by-one write past the end of an internal buffer when handling specific operator length combinations. The miscalculation occurs because the boundary check accepts an index equal to the buffer length, allowing a single-byte write outside the allocated region. This corruption destabilizes adjacent heap or stack metadata and crashes the bgpd process. Because the parser runs as soon as a FlowSpec UPDATE arrives over an established BGP session, the attacker only needs to influence the contents of a peering message.
Root Cause
The root cause is an incorrect boundary condition in the operator-value loop, where the terminating index is treated as inclusive rather than exclusive. The fix tightens the bounds check, as shown in the upstream patch FRRouting commit 0e6882bc.
Attack Vector
The vulnerability is reachable over the network without authentication or user interaction. An attacker who controls a BGP peer, or who can inject crafted UPDATE messages into a peering session, sends a FlowSpec NLRI with malformed operator-value encoding. The malformed component triggers the off-by-one write inside bgp_flowspec_op_decode(), terminating bgpd. Repeated delivery sustains the DoS and prevents route convergence.
No verified public proof-of-concept code is available. Refer to the upstream patch for the precise byte-level conditions that trigger the write.
Detection Methods for CVE-2026-37457
Indicators of Compromise
- Unexpected bgpd process crashes or restarts on FRR routers, especially shortly after receiving BGP UPDATE messages.
- Core dumps or stack traces referencing bgp_flowspec_op_decode or bgp_flowspec_util.c.
- Repeated BGP session resets with peers transmitting FlowSpec NLRI.
Detection Strategies
- Monitor FRR daemon logs (/var/log/frr/bgpd.log) for abnormal termination, signal handlers, or assertion failures during FlowSpec processing.
- Inspect BGP UPDATE traffic for FlowSpec components with unusual operator-length encodings using packet capture or flow telemetry.
- Correlate bgpd exit events with peer session state changes to identify the upstream source of malicious updates.
Monitoring Recommendations
- Forward router and bgpd logs to a centralized SIEM and alert on repeated daemon restarts.
- Track BGP session uptime and FlowSpec route counts per peer to surface anomalies.
- Apply behavioral monitoring on Linux hosts running FRR to flag crash loops and memory corruption signals; platforms such as SentinelOne Singularity Endpoint can identify abnormal process termination patterns on supported Linux distributions.
How to Mitigate CVE-2026-37457
Immediate Actions Required
- Upgrade FRRouting to a build that includes the fix from FRRouting commit 0e6882bc.
- Restrict BGP peering to authenticated, trusted neighbors using TCP-AO or MD5 and infrastructure ACLs.
- Audit all routers running FRR stable/10.0 and prioritize those that accept FlowSpec advertisements.
Patch Information
The upstream fix is committed in the FRRouting repository at 0e6882bc72c0278988a47b2f0f73b7a91099a25c. Operators should rebuild FRR from a branch that includes this commit or install vendor packages that backport it. Distribution maintainers shipping FRR 10.0 should track downstream advisories for updated binaries.
Workarounds
- Disable BGP FlowSpec address-family processing on affected speakers if it is not operationally required.
- Apply inbound BGP route filters that reject FlowSpec NLRI from peers that should not advertise it.
- Limit BGP sessions to directly connected, authenticated peers and segment management planes from untrusted networks.
# Example: disable FlowSpec address-family in FRR bgpd configuration
router bgp 65001
no bgp default ipv4-flowspec
no bgp default ipv6-flowspec
!
# Example: restrict BGP TCP/179 to known peers
iptables -A INPUT -p tcp --dport 179 -s 192.0.2.10 -j ACCEPT
iptables -A INPUT -p tcp --dport 179 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
