CVE-2026-28532: Integer Overflow in FRRouting Routers

An attacker exploiting CVE-2026-28532 can craft a malicious Link State Advertisement (LSA) packet within an OSPF (Open Shortest Path First) update. Specifically, a Type 10 or Type 11 Opaque LSA is used to trigger the overflow. The vulnerability lies in the parsing of Traffic Engineering and Segment Routing TLVs, where a uint16t accumulator truncates larger uint32t values. This truncation causes the loop termination condition to fail, leading to unchecked pointer advancement and ultimately, out-of-bounds memory reads. Successful exploitation can cause affected routers to crash, disrupting network connectivity. The blast radius extends to the entire OSPF area or autonomous system, as the malicious packet propagates through the routing domain. This vulnerability shares similarities with other routing protocol exploitation techniques that leverage malformed packets to destabilize network infrastructure.

1. Veröffentlicht2026-04-30
2. Geändert2026-05-01
3. EPSS aktualisiert2026-05-08

The primary mitigation for CVE-2026-28532 is to upgrade FRRouting to version 10.5.4 or later, which contains the fix. If immediate upgrade is not possible, consider implementing temporary workarounds. Network administrators should carefully examine OSPF LS Update packets for anomalies, although detecting malicious packets can be challenging. Deploying a network intrusion detection system (NIDS) with rules to identify malformed OSPF packets can provide an early warning. While a Web Application Firewall (WAF) is not directly applicable here, a next-generation firewall (NGFW) with deep packet inspection capabilities might be able to detect and block suspicious OSPF traffic. After upgrading, verify the fix by sending a test OSPF packet designed to trigger the vulnerability (as described in the NVD details) and confirming that it no longer causes a crash.