CVE-2026-37459 Overview
CVE-2026-37459 is an integer underflow vulnerability in FRRouting (FRR), an open-source internet routing protocol suite used in Linux and Unix platforms. The flaw affects FRR versions stable/10.0 through stable/10.6 and resides in the Border Gateway Protocol daemon (bgpd). Attackers can trigger a Denial of Service (DoS) by sending a crafted BGP UPDATE message containing a malformed Next Hop Capability (NHC) Type-Length-Value (TLV) field. The underflow occurs during length validation of the TLV header, allowing a remote unauthenticated attacker to crash the routing daemon.
Critical Impact
Remote unauthenticated attackers can crash the FRR BGP daemon, disrupting routing operations across affected networks.
Affected Products
- FRRouting (FRR) stable/10.0
- FRRouting (FRR) stable/10.1 through stable/10.5
- FRRouting (FRR) stable/10.6
Discovery Timeline
- 2026-05-04 - CVE-2026-37459 published to NVD
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2026-37459
Vulnerability Analysis
The vulnerability resides in the BGP attribute parsing code within bgpd/bgp_attr.c. FRR processes the Next Hop Capability (NHC) attribute in BGP UPDATE messages by reading TLV-encoded sub-fields. The parser reads a 16-bit tlv_code and a 16-bit tlv_length from the input stream, then compares tlv_length against the remaining buffer length.
The original check did not account for the size of the TLV header itself. When tlv_length was crafted to be just below the remaining buffer length, the subsequent subtraction length -= tlv_length + BGP_NHC_TLV_MIN_LEN underflowed into a large unsigned value. This caused the parser to continue reading past valid bounds, leading to a crash of the BGP daemon. The weakness is classified as [CWE-400] Uncontrolled Resource Consumption.
Root Cause
The root cause is an insufficient bounds check that omitted the TLV header size from the length comparison. The parser assumed tlv_length alone bounded the remaining buffer, but each TLV requires BGP_NHC_TLV_MIN_LEN bytes for its code and length fields before the value. Crafted inputs caused the unsigned arithmetic on length to underflow.
Attack Vector
Exploitation requires the attacker to send a crafted BGP UPDATE message to a vulnerable FRR peer. Because BGP sessions normally require an established TCP peering relationship, the attacker typically must control or compromise a configured BGP neighbor. No authentication or user interaction beyond the BGP session itself is required to trigger the crash.
tlv_code = stream_getw(s);
tlv_length = stream_getw(s);
- if (length < tlv_length) {
+ if (length < tlv_length + BGP_NHC_TLV_MIN_LEN) {
zlog_err("%pBP rcvd BGP NHC TLV length %d exceeds remaining length %d",
peer, tlv_length, length);
bgp_nhc_free(nhc);
Source: FRRouting commit 693a2e02. The patch adds BGP_NHC_TLV_MIN_LEN to the length comparison, ensuring the buffer holds the full TLV header plus value before parsing continues.
Detection Methods for CVE-2026-37459
Indicators of Compromise
- Unexpected bgpd process crashes or restarts on FRR routers, especially correlated with receipt of BGP UPDATE messages from a specific peer.
- Log entries from zlog_err referencing BGP NHC TLV length mismatches in bgpd syslog output.
- BGP session resets and route flapping immediately following inbound UPDATE messages containing NHC attributes.
Detection Strategies
- Monitor bgpd daemon health and log streams for repeated termination, segmentation faults, or watchdog-triggered restarts.
- Inspect BGP UPDATE traffic with packet capture tools and flag UPDATE messages that include malformed NHC TLV structures or inconsistent length fields.
- Correlate routing instability events with the source IP of BGP peers to identify a single neighbor sending malformed UPDATEs.
Monitoring Recommendations
- Forward bgpd logs to a centralized logging or SIEM platform and create alerts for daemon crashes and TLV length errors.
- Track BGP session state transitions and alert on abnormal frequencies of session resets per peer.
- Capture and retain BGP control-plane traffic on critical routers to support post-incident analysis.
How to Mitigate CVE-2026-37459
Immediate Actions Required
- Upgrade FRRouting to a version containing commit 693a2e02687cdc9d16501275e05136edea9650d9 or any release where the NHC TLV length check has been corrected.
- Audit configured BGP peers and remove or restrict sessions with untrusted networks until patches are applied.
- Enable BGP authentication using TCP-AO or MD5 to reduce the risk of unauthorized peers establishing sessions.
Patch Information
The upstream fix is available in the FRRouting repository. The patch in bgpd/bgp_attr.c validates that the remaining buffer length is sufficient to contain both the TLV value and the TLV header before continued parsing. Refer to the FRRouting GitHub commit for the complete change set and apply vendor-supplied packages from your Linux distribution when available.
Workarounds
- Restrict BGP peering to known, trusted neighbors using infrastructure access control lists (iACLs) on the management and control plane.
- Apply BGP inbound filtering and prefix limits to reduce exposure to malformed UPDATE messages from compromised peers.
- Deploy BGP session monitoring with automatic alerts so a crashing bgpd process can be quickly identified and isolated.
# Verify FRR version on a Linux router
vtysh -c 'show version'
# Example: restrict BGP listener to specific peer addresses (FRR vtysh)
router bgp 65000
neighbor 192.0.2.1 remote-as 65001
neighbor 192.0.2.1 password <strong-shared-secret>
no bgp listen range 0.0.0.0/0 peer-group EXTERNAL
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
