Listen to this Post
How CVE-2026-37457 Works
This is an off-by-one out-of-bounds write vulnerability in the `bgp_flowspec_op_decode()` function, located in the `bgpd/bgp_flowspec_util.c` source file of FRRouting (FRR) stable/10.0. The flaw exists in FRR’s BGP FlowSpec implementation, which allows network operators to distribute traffic filtering rules via BGP. A critical error in how the function decodes incoming FlowSpec NLRI components leads to an incorrect length check, specifically when handling the last byte of a component. During decoding, the function fails to account for the exact buffer boundary, causing a write operation to occur one byte beyond the allocated memory space.
An attacker can trigger this condition by supplying a specially crafted FlowSpec component. To exploit the vulnerability, the attacker must first establish a BGP session with the target FRR instance. Once the session is up, they inject a malicious BGP UPDATE message containing a malformed FlowSpec NLRI. The `bgp_flowspec_op_decode()` function, when processing this malicious component, encounters an off-by-one error that causes it to write beyond the limits of a stack- or heap-allocated buffer. This out-of-bounds write corrupts adjacent memory structures, leading to unpredictable behavior.
The immediate result of a successful exploit is a crash of the BGP daemon (bgpd). This crash forces the routing engine to restart, disrupting all BGP sessions and causing a complete loss of routing services on the affected system. While no public proof-of-concept or in-the-wild exploitation has been confirmed, the flaw has been assigned a CVSS base score of 7.5, indicating high severity. The attack vector is network-based, requires low attack complexity, and no privileges or user interaction. The impact is limited to a Denial of Service (DoS), with no compromise of confidentiality or integrity.
A fix has been committed to the FRRouting codebase and is available in the official GitHub repository.
DailyCVE Form:
Platform: FRRouting (FRR)
Version: stable/10.0
Vulnerability : Off-by-one OOB
Severity: High (7.5)
date: 2026-05-01
Prediction: Patch expected July 2026
What Undercode Say:
Check FRR version /usr/lib/frr/bgpd --version Example script to monitor BGP daemon crashes (log parsing) grep -i "bgpd.crash" /var/log/frr/frr.log Simulate a malicious FlowSpec component (conceptual) This is NOT a functional exploit but a high-level illustration. malicious_nlri="<crafted_flowspec_component_with_off_by_one>"
Exploit:
No public exploit or active in-the-wild usage has been documented. Successful exploitation requires a direct BGP session to the target. The crafted FlowSpec message triggers the off-by-one write, corrupting memory and forcing a `bgpd` crash.
Protection:
- Upgrade to a version containing the fix (commit
0e6882bc72c0). - Implement BGP peering access lists to restrict unknown or untrusted peers.
- Deploy network monitoring to detect unexpected BGP daemon restarts.
Impact:
A successful attack causes the `bgpd` daemon to crash, leading to a complete Denial of Service (DoS) of the routing service. All BGP sessions are terminated, and traffic forwarding may be disrupted until the daemon automatically restarts. There is no known risk of code execution or data breach.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]

