CVE-2026-28532

MEDIUM NVD

CVSS Score 6.5

Severity MEDIUM

Published Apr 30, 2026

Vendor unknown

Description

FRRouting before 10.5.3 contains an integer overflow vulnerability in seven OSPF Traffic Engineering and Segment Routing TLV parser functions where a uint16_t accumulator variable truncates uint32_t values returned by the TLV_SIZE() macro, causing the loop termination condition to fail while pointer advancement continues unchecked. Attackers with an established OSPF adjacency can send a crafted LS Update packet with a malicious Type 10 or Type 11 Opaque LSA to trigger out-of-bounds memory reads and crash all affected routers in the OSPF area or autonomous system.

References

https://github.com/FRRouting/frr/commit/f098decf02987fbf1c891766c1516ac832adadfd
https://github.com/FRRouting/frr/pull/21002
https://github.com/FRRouting/frr/releases/tag/frr-10.5.3
https://www.vulncheck.com/advisories/frrouting-integer-overflow-in-ospf-tlv-parser-functions