FRRouting < 10.5.3 Integer Overflow in OSPF TLV Parser Functions

Advisories

severity: medium
date: 4/30/2026
Affecting: FRRouting < 10.5.3
CVE: CVE-2026-28532
CWE: CWE-190 Integer Overflow or Wraparound
CWE-125 Out-of-bounds Read
CVSS: 6
CVSS V4 Vector: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
References: Release Notes
Pull Request
Patch Commit
Credit: Kazuma Matsumoto, a security researcher at GMO Cybersecurity by IERAE, Inc.
Description: FRRouting before 10.5.3 contains an integer overflow vulnerability in seven OSPF Traffic Engineering and Segment Routing TLV parser functions where a uint16_t accumulator variable truncates uint32_t values returned by the TLV_SIZE() macro, causing the loop termination condition to fail while pointer advancement continues unchecked. Attackers with an established OSPF adjacency can send a crafted LS Update packet with a malicious Type 10 or Type 11 Opaque LSA to trigger out-of-bounds memory reads and crash all affected routers in the OSPF area or autonomous system.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo