CVE-2026-48686

Severity CVSS v4.0:
Pending analysis
Type:
CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Publication date:
26/05/2026
Last modified:
27/05/2026

Description

FastNetMon Community Edition through 1.2.9 contains a stack-based buffer overflow in the BGP NLRI (Network Layer Reachability Information) decoder. The function decode_bgp_subnet_encoding_ipv4_raw() in src/bgp_protocol.cpp reads prefix_bit_length directly from the BGP packet (line 99) without validating it is 32 causes undefined behavior.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:pavel-odintsov:fastnetmon:*:*:*:*:community:*:*:* 1.2.9 (including)