Writeup Exploits
62,320 exploits tracked across all sources.
FRRouting 2.0-10.4.1 - Denial of Service via OSPF Opaque LSA Dump Function
FRRouting/frr from v2.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the ospf_opaque_lsa_dump function at ospf_opaque.c. This vulnerability allows attackers to cause a Denial of Service (DoS) under specific malformed LSA conditions.
CVSS 7.5
FRRouting 2.0-10.4.1 - Denial of Service via OSPF Opaque LSA Dump Function
FRRouting/frr from v2.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the ospf_opaque_lsa_dump function at ospf_opaque.c. This vulnerability allows attackers to cause a Denial of Service (DoS) under specific malformed LSA conditions.
CVSS 7.5
FRRouting 2.0-10.4.1 - Denial of Service via OSPF Opaque LSA Dump Function
FRRouting/frr from v2.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the ospf_opaque_lsa_dump function at ospf_opaque.c. This vulnerability allows attackers to cause a Denial of Service (DoS) under specific malformed LSA conditions.
CVSS 7.5
FRRouting 2.0-10.4.1 - Denial of Service via OSPF Opaque LSA Update Packet
FRRouting/frr from v2.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the opaque_info_detail function at ospf_opaque.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted LS Update packet.
CVSS 7.5
FRRouting 2.0-10.4.1 - Denial of Service via OSPF Opaque LSA Update Packet
FRRouting/frr from v2.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the opaque_info_detail function at ospf_opaque.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted LS Update packet.
CVSS 7.5
FRRouting 2.0-10.4.1 - Denial of Service via OSPF Opaque LSA Update Packet
FRRouting/frr from v2.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the opaque_info_detail function at ospf_opaque.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted LS Update packet.
CVSS 7.5
FRRouting 6.0-10.2.1 - Denial of Service via RTR Update Buffer Overflow
In FRRouting (FRR) before 10.3 from 6.0 onward, all routes are re-validated if the total size of an update received via RTR exceeds the internal socket's buffer size, default 4K on most OSes. An attacker can use this to trigger re-parsing of the RIB for FRR routers using RTR by causing more than this number of updates during an update interval (usually 30 minutes). Additionally, this effect regularly occurs organically. Furthermore, an attacker can use this to trigger route validation continuously. Given that routers with large full tables may need more than 30 minutes to fully re-validate the table, continuous issuance/withdrawal of large numbers of ROA may be used to impact the route handling performance of all FRR instances using RPKI globally. Additionally, the re-validation will cause heightened BMP traffic to ingestors. Fixed Versions: 10.0.3, 10.1.2, 10.2.1, >= 10.3.
CVSS 7.5
FRRouting < 10.1 - Denial of Service via BGP Attribute TLV Length Mismatch
An issue was discovered in FRRouting (FRR) through 10.1. bgp_attr_encap in bgpd/bgp_attr.c does not check the actual remaining stream length before taking the TLV value.
CVSS 7.5
FRRouting < 9.1 - Denial of Service via NULL Pointer Dereference in OSPF get_edge Function
In FRRouting (FRR) through 9.1, it is possible for the get_edge() function in ospf_te.c in the OSPF daemon to return a NULL pointer. In cases where calling functions do not handle the returned NULL value, the OSPF daemon crashes, leading to denial of service.
CVSS 7.5
FRRouting < 9.1 - Denial of Service via OSPF LSA Segment Routing Adjacency SID SubTLV Parsing
In the Opaque LSA Extended Link parser in FRRouting (FRR) through 9.1, there can be a buffer overflow and daemon crash in ospf_te_parse_ext_link for OSPF LSA packets during an attempt to read Segment Routing Adjacency SID subTLVs (lengths are not validated).
CVSS 6.5
FRRouting < 9.1 - Denial of Service via OSPF LSA Segment Routing Adjacency SID SubTLV Parsing
In the Opaque LSA Extended Link parser in FRRouting (FRR) through 9.1, there can be a buffer overflow and daemon crash in ospf_te_parse_ext_link for OSPF LSA packets during an attempt to read Segment Routing Adjacency SID subTLVs (lengths are not validated).
CVSS 6.5
FRRouting < 9.1 - Buffer Overflow in OSPF LSA Segment Routing subTLV Parsing
In FRRouting (FRR) through 9.1, there can be a buffer overflow and daemon crash in ospf_te_parse_ri for OSPF LSA packets during an attempt to read Segment Routing subTLVs (their size is not validated).
CVSS 6.5
FRRouting < 9.1 - Buffer Overflow in OSPF LSA Segment Routing subTLV Parsing
In FRRouting (FRR) through 9.1, there can be a buffer overflow and daemon crash in ospf_te_parse_ri for OSPF LSA packets during an attempt to read Segment Routing subTLVs (their size is not validated).
CVSS 6.5
FRRouting < 9.1 - Denial of Service via MP/GR Capability Infinite Loop
In FRRouting (FRR) through 9.1, an infinite loop can occur when receiving a MP/GR capability as a dynamic capability because malformed data results in a pointer not advancing.
CVSS 6.5
FRRouting < 9.1 - Denial of Service via MP/GR Capability Infinite Loop
In FRRouting (FRR) through 9.1, an infinite loop can occur when receiving a MP/GR capability as a dynamic capability because malformed data results in a pointer not advancing.
CVSS 6.5
FRRouting < 9.1 - Denial of Service via Malformed Prefix SID Attribute in BGP UPDATE Packet
In FRRouting (FRR) through 9.1, an attacker using a malformed Prefix SID attribute in a BGP UPDATE packet can cause the bgpd daemon to crash.
CVSS 6.5
FRRouting < 9.1 - Denial of Service via Malformed Prefix SID Attribute in BGP UPDATE Packet
In FRRouting (FRR) through 9.1, an attacker using a malformed Prefix SID attribute in a BGP UPDATE packet can cause the bgpd daemon to crash.
CVSS 6.5
FRRouting < 9.0 - Denial of Service via Malformed OSPF LSA Packet
ospf_te_parse_te in ospfd/ospf_te.c in FRRouting (FRR) through 9.1 allows remote attackers to cause a denial of service (ospfd daemon crash) via a malformed OSPF LSA packet, because of an attempted access to a missing attribute field.
CVSS 6.5
FRRouting < 9.0.1 - Denial of Service via Malformed BGP UPDATE Message
An issue was discovered in FRRouting FRR through 9.0.1. A crash can occur when a malformed BGP UPDATE message with an EOR is processed, because the presence of EOR does not lead to a treat-as-withdraw outcome.
CVSS 7.5
FRRouting < 9.0.1 - Denial of Service via Crafted BGP UPDATE Message
An issue was discovered in FRRouting FRR through 9.0.1. A crash can occur when processing a crafted BGP UPDATE message with a MP_UNREACH_NLRI attribute and additional NLRI data (that lacks mandatory path attributes).
CVSS 7.5
FRRouting < 9.0.1 - Denial of Service via Crafted BGP UPDATE Message
An issue was discovered in FRRouting FRR through 9.0.1. A crash can occur for a crafted BGP UPDATE message without mandatory attributes, e.g., one with only an unknown transit attribute.
CVSS 5.9
FRRouting < 9.0.1 - Denial of Service via Malformed MP_REACH_NLRI Data
An issue was discovered in FRRouting FRR through 9.0.1. It mishandles malformed MP_REACH_NLRI data, leading to a crash.
CVSS 5.9
FRRouting < 9.0 - Denial of Service via NULL Pointer Dereference in BGP FlowSpec Parser
An issue was discovered in FRRouting FRR through 9.0. bgp_nlri_parse_flowspec in bgpd/bgp_flowspec.c processes malformed requests with no attributes, leading to a NULL pointer dereference.
CVSS 7.5
FRRouting FRR <9.0 - Info Disclosure
An issue was discovered in FRRouting FRR 9.0. bgpd/bgp_open.c does not check for an overly large length of the rcv software version.
CVSS 9.8
FRRouting < 9.0 - Out-of-bounds Read in bgpd/bgp_packet.c
An issue was discovered in FRRouting FRR through 9.0. bgpd/bgp_packet.c can read the initial byte of the ORF header in an ahead-of-stream situation.
CVSS 9.1
By Source