CVE-2026-28532

EUVD-2026-26418

30.04.2026, 21:16

FRRouting before 10.5.3 contains an integer overflow vulnerability in seven OSPF Traffic Engineering and Segment Routing TLV parser functions where a uint16_t accumulator variable truncates uint32_t values returned by the TLV_SIZE() macro, causing the loop termination condition to fail while pointer advancement continues unchecked. Attackers with an established OSPF adjacency can send a crafted LS Update packet with a malicious Type 10 or Type 11 Opaque LSA to trigger out-of-bounds memory reads and crash all affected routers in the OSPF area or autonomous system.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.5 MEDIUM	ADJACENT_NETWORK	LOW	NONE	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 13%

Affected Products (NVD)

Vendor	Product	Version
frrouting	frrouting	𝑥 < 10.5.3

𝑥

= Vulnerable software versions

Azure Linux Releases

Azure Package

Release

frr

Azure Linux 3.0

0:10.5.0-3.azl3

fixed

Common Weakness Enumeration

CWE-125 - Out-of-bounds Read
The software reads data past the end, or before the beginning, of the intended buffer.

Vulnerability Media Exposure

[GERMAN] FRRouting Project FRRouting: Mehrere Schwachstellen ermöglichen Denial of Service
Ein Angreifer kann mehrere Schwachstellen in FRRouting Project FRRouting ausnutzen, um einen Denial of Service Angriff durchzuführen.
Published: 2026-05-03T22:00:00+00:00

References

https://github.com/FRRouting/frr/commit/f098decf02987fbf1c891766c1516ac832adadfd

https://github.com/FRRouting/frr/pull/21002

https://github.com/FRRouting/frr/releases/tag/frr-10.5.3

https://www.vulncheck.com/advisories/frrouting-integer-overflow-in-ospf-tlv-parser-functions