HIGH 7.5

CVE-2026-37460: FRRouting BGP Input Validation DoS Vulnerability

FRRouting, a widely-used open-source routing protocol suite, contains a flaw in how it validates incoming BGP UPDATE messages. An attacker on the network can send a specially crafted message that causes the routing daemon to crash or become unresponsive, disrupting network operations. This is a network-based denial-of-service vulnerability requiring no authentication or user interaction.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-20
Affected products
0 configuration(s)
Published / Modified
2026-06-03 / 2026-06-17

NVD description (verbatim)

Missing input validation in the rfapiRibBi2Ri() function (rfapi_rib.c) of FRRouting (FRR) stable/10.0 to stable/10.6 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP UPDATE message.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The rfapiRibBi2Ri() function in rfapi_rib.c lacks sufficient input validation when processing BGP UPDATE messages. Affected versions (stable/10.0 through stable/10.6) fail to check or sanitize certain message fields before dereferencing or processing them, allowing an unauthenticated attacker to trigger a crash or resource exhaustion condition. The vulnerability is classified as CWE-20 (Improper Input Validation).

Business impact

For organizations operating FRRouting in production environments—particularly ISPs, hosting providers, and enterprises with complex routing topologies—this vulnerability poses a significant availability risk. A successful attack can render BGP routing unstable or offline entirely, leading to traffic loss, service disruption, and potential revenue impact. The network-adjacent threat model means internal or near-network attackers pose the most immediate risk.

Affected systems

FRRouting versions stable/10.0, stable/10.1, stable/10.2, stable/10.3, stable/10.4, stable/10.5, and stable/10.6 are confirmed in scope. Older or newer release branches should be verified against the official FRRouting security advisories. Deployments using FRRouting as a route reflector, edge router, or any BGP speaker are directly affected.

Exploitability

Exploitation requires network access to the FRRouting BGP daemon and the ability to send or inject a BGP UPDATE message. No authentication is needed. The attack is straightforward to execute once a BGP session is established or can be achieved by an attacker positioned on the same network segment or with BGP peering capability. The CVSS score of 7.5 reflects the high severity (attack vector: network, complexity: low, privileges: none required, user interaction: none, availability impact: high).

Remediation

Upgrade FRRouting to a patched version beyond stable/10.6. Consult the official FRRouting release notes and security advisories to identify the specific maintenance release that addresses this flaw. Additionally, implement network segmentation and access controls to restrict BGP sessions to trusted peers only, and monitor BGP session stability for unexpected crashes or restarts.

Patch guidance

Check the FRRouting project's official repository and security advisories at frrouting.org for maintenance releases addressing CVE-2026-37460. Patches for this input validation flaw should be available in stable/10.7 or later, or in designated security updates for earlier branches—verify against the vendor advisory before deployment. Test patches in a staging environment that mimics your BGP topology to ensure no regressions in route propagation or failover behavior.

Detection guidance

Monitor FRRouting daemon logs (typically in syslog or journald) for unexpected crashes, segmentation faults, or assertions in the rfapi_rib.c module. Track BGP session state transitions and abnormal terminations of the BGP daemon process. Network-level detection should focus on malformed or suspicious BGP UPDATE messages using flow analysis or BGP monitoring tools. Configure alerting on daemon restarts and resource spikes.

Why prioritize this

This vulnerability merits prompt patching due to its high CVSS score, network-based attack surface, absence of authentication barriers, and direct impact on network availability. While not yet listed in CISA's KEV catalog, the severity and ease of exploitation make it a priority for any organization running FRRouting in a production or critical-path routing role. Prioritize based on the criticality of the routing infrastructure and exposure to untrusted BGP peers.

Risk score, explained

The CVSS 3.1 score of 7.5 (HIGH) reflects a network-accessible vulnerability with no privilege or user-interaction requirements and a complete availability impact. The attack complexity is low, meaning no special conditions or timing are needed. Confidentiality and integrity are not affected, but the denial-of-service impact on routing services elevates risk substantially for affected deployments.

Frequently asked questions

Does this affect all versions of FRRouting?

No. Only stable/10.0 through stable/10.6 are confirmed vulnerable. Check the official FRRouting security advisory to confirm whether your branch and version are in scope, and verify if patches are available for older stable branches.

Can this be exploited from outside our network?

Yes, if your FRRouting instance accepts BGP connections from external peers or if an attacker can establish or inject packets into a BGP session. Organizations using route reflectors or edge routers that peer with upstream providers face higher exposure than internal-only deployments.

Do we need to restart services immediately, or can we schedule maintenance?

If you are actively receiving BGP updates from untrusted or external peers, prioritize patching and testing within your maintenance window. Internal-only or well-controlled BGP environments may allow for more flexible scheduling, but do not delay unnecessarily given the high severity.

What should we do while waiting for a patch?

Restrict BGP peering to known, trusted sources using access control lists (ACLs) and firewall rules. Monitor FRRouting daemon stability and BGP session metrics closely. Consider temporarily disabling BGP on non-critical routers until patches are deployed and validated.

This analysis is provided for informational and educational purposes. SEC.co does not warrant the accuracy or completeness of this information. Organizations should verify all patch versions, compatibility, and applicability against official vendor advisories before deployment. No exploit code or attack tooling is included or implied. Always test patches in a non-production environment first. Consult your security team and vendor support for guidance specific to your infrastructure and risk profile. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).