External risk intelligence

FRRouting systems can be disrupted by attackers sending bad data

CVE advisorySeverity: HIGH (CVSS 7.5)

CVE-2026-37457

A flaw in FRRouting can lead to network disruption. An attacker can cause a denial of service by sending a specially crafted network input to vulnerable systems.

3Halo Surface Signal

Out-of-bounds Write

Frrouting

10.0

External exposure likelihood

Halo Surface Signal score for CVE-2026-37457

FRRouting (FRR) is a routing protocol suite. While BGP and FlowSpec are network-facing protocols, they are typically deployed within core network infrastructure, between BGP peers, or at the network edge, rather than being exposed directly to the public internet as a general-purpose service. Reachability depends heavily on specific network topology and peering arrangements.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Horizon Alert

Summary of the vulnerability and why it matters

A bug in FRRouting's FlowSpec component could allow an attacker to cause a denial of service. This means the routing service might become unavailable.

  • Attackers can crash the service.
  • Impact is on network availability.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by sending specially crafted FlowSpec components to a vulnerable FRRouting instance. This crafted data will cause the `bgp_flowspec_op_decode` function to write out of bounds, leading to a denial of service on the affected router.

  • Network access required.
  • Target: BGP FlowSpec component.
  • Condition: Malformed FlowSpec data.

Live Threat

Current exploitation, exposure, and threat context

Attackers are unlikely to weaponize this CVE for widespread exploitation due to its specific nature within network infrastructure. While the vulnerability allows for Denial of Service, the targeted components are typically managed by network professionals and not directly exposed to the public internet, limiting its appeal for opportunistic attacks.

  • Targeting specific network infrastructure.
  • Exploitation requires deep network knowledge.
  • No public exploit available.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize immediate investigation of network traffic for crafted FlowSpec components targeting FRRouting's `bgp_flowspec_op_decode` function, as this vulnerability can lead to a denial of service. Given the network-facing nature of BGP and FlowSpec, and the lack of known reliable public exploits, focus on detection and containment if immediate patching is not feasible.

  • Monitor for unusual FlowSpec components.
  • Block traffic with malformed FlowSpec.
  • Apply FRR version stable/10.0 or later.

Frequently asked questions

What is the software context for CVE-2026-37457?

CVE-2026-37457 affects FRRouting (FRR) version stable/10.0. This vulnerability lies within the `bgp_flowspec_op_decode()` function located in `bgpd/bgp_flowspec_util.c`.

What weakness class does CVE-2026-37457 represent?

This vulnerability is classified as CWE-787, which denotes an out-of-bounds write. An attacker can exploit this by supplying specially crafted data, leading to unintended memory writes.

What is the trigger path and scope negation for this vulnerability?

The vulnerability is triggered by an attacker supplying a crafted FlowSpec component. The scope is not negated, meaning the vulnerability directly impacts the availability of the affected FRRouting instance.

What is the relevance of CVE-2026-37457 and the Halo Surface Signal?

The Halo Surface Signal indicates a 'Possible' relevance, scoring 3. While BGP and FlowSpec are network-facing, they are typically deployed within core network infrastructure, limiting direct public internet exposure and thus the widespread appeal for opportunistic attacks. Exploitation requires specific network knowledge and topology.

What is a practical response to this vulnerability?

Prioritize investigating network traffic for crafted FlowSpec components targeting FRRouting's `bgp_flowspec_op_decode()` function. Monitor for unusual FlowSpec components and block traffic with malformed FlowSpec data. If immediate patching is not feasible, focus on detection and containment. Apply FRR version stable/10.0 or later.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified