CVE-2018-5379
HIGHQuagga BGP daemon <1.2.3 - Use After Free
Title source: llmDescription
The Quagga BGP daemon (bgpd) prior to version 1.2.3 can double-free memory when processing certain forms of UPDATE message, containing cluster-list and/or unknown attributes. A successful attack could cause a denial of service or potentially allow an attacker to execute arbitrary code.
Scores
CVSS v3
7.5
EPSS
0.0549
EPSS Percentile
90.1%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Classification
CWE
CWE-415
Status
published
Affected Products (17)
quagga/quagga
< 1.2.2
debian/debian_linux
debian/debian_linux
debian/debian_linux
canonical/ubuntu_linux
canonical/ubuntu_linux
canonical/ubuntu_linux
redhat/enterprise_linux_server
redhat/enterprise_linux_server_aus
redhat/enterprise_linux_server_aus
redhat/enterprise_linux_server_eus
redhat/enterprise_linux_server_eus
redhat/enterprise_linux_server_eus
redhat/enterprise_linux_server_tus
redhat/enterprise_linux_server_tus
... and 2 more
Timeline
Published
Feb 19, 2018
Tracked Since
Feb 18, 2026