CVE-2026-37460: FRRouting BGP Input Validation DoS Vulnerability
FRRouting, a widely-used open-source routing protocol suite, contains a flaw in how it validates incoming BGP UPDATE messages. An attacker on the network can send a specially crafted message that causes the routing daemon to crash or become unresponsive, disrupting network operations. This is a network-based denial-of-service vulnerability requiring no authentication or user interaction.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-20
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-03 / 2026-06-17
NVD description (verbatim)
Missing input validation in the rfapiRibBi2Ri() function (rfapi_rib.c) of FRRouting (FRR) stable/10.0 to stable/10.6 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP UPDATE message.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The rfapiRibBi2Ri() function in rfapi_rib.c lacks sufficient input validation when processing BGP UPDATE messages. Affected versions (stable/10.0 through stable/10.6) fail to check or sanitize certain message fields before dereferencing or processing them, allowing an unauthenticated attacker to trigger a crash or resource exhaustion condition. The vulnerability is classified as CWE-20 (Improper Input Validation).
Business impact
For organizations operating FRRouting in production environments—particularly ISPs, hosting providers, and enterprises with complex routing topologies—this vulnerability poses a significant availability risk. A successful attack can render BGP routing unstable or offline entirely, leading to traffic loss, service disruption, and potential revenue impact. The network-adjacent threat model means internal or near-network attackers pose the most immediate risk.
Affected systems
FRRouting versions stable/10.0, stable/10.1, stable/10.2, stable/10.3, stable/10.4, stable/10.5, and stable/10.6 are confirmed in scope. Older or newer release branches should be verified against the official FRRouting security advisories. Deployments using FRRouting as a route reflector, edge router, or any BGP speaker are directly affected.
Exploitability
Exploitation requires network access to the FRRouting BGP daemon and the ability to send or inject a BGP UPDATE message. No authentication is needed. The attack is straightforward to execute once a BGP session is established or can be achieved by an attacker positioned on the same network segment or with BGP peering capability. The CVSS score of 7.5 reflects the high severity (attack vector: network, complexity: low, privileges: none required, user interaction: none, availability impact: high).
Remediation
Upgrade FRRouting to a patched version beyond stable/10.6. Consult the official FRRouting release notes and security advisories to identify the specific maintenance release that addresses this flaw. Additionally, implement network segmentation and access controls to restrict BGP sessions to trusted peers only, and monitor BGP session stability for unexpected crashes or restarts.
Patch guidance
Check the FRRouting project's official repository and security advisories at frrouting.org for maintenance releases addressing CVE-2026-37460. Patches for this input validation flaw should be available in stable/10.7 or later, or in designated security updates for earlier branches—verify against the vendor advisory before deployment. Test patches in a staging environment that mimics your BGP topology to ensure no regressions in route propagation or failover behavior.
Detection guidance
Monitor FRRouting daemon logs (typically in syslog or journald) for unexpected crashes, segmentation faults, or assertions in the rfapi_rib.c module. Track BGP session state transitions and abnormal terminations of the BGP daemon process. Network-level detection should focus on malformed or suspicious BGP UPDATE messages using flow analysis or BGP monitoring tools. Configure alerting on daemon restarts and resource spikes.
Why prioritize this
This vulnerability merits prompt patching due to its high CVSS score, network-based attack surface, absence of authentication barriers, and direct impact on network availability. While not yet listed in CISA's KEV catalog, the severity and ease of exploitation make it a priority for any organization running FRRouting in a production or critical-path routing role. Prioritize based on the criticality of the routing infrastructure and exposure to untrusted BGP peers.
Risk score, explained
The CVSS 3.1 score of 7.5 (HIGH) reflects a network-accessible vulnerability with no privilege or user-interaction requirements and a complete availability impact. The attack complexity is low, meaning no special conditions or timing are needed. Confidentiality and integrity are not affected, but the denial-of-service impact on routing services elevates risk substantially for affected deployments.
Frequently asked questions
Does this affect all versions of FRRouting?
No. Only stable/10.0 through stable/10.6 are confirmed vulnerable. Check the official FRRouting security advisory to confirm whether your branch and version are in scope, and verify if patches are available for older stable branches.
Can this be exploited from outside our network?
Yes, if your FRRouting instance accepts BGP connections from external peers or if an attacker can establish or inject packets into a BGP session. Organizations using route reflectors or edge routers that peer with upstream providers face higher exposure than internal-only deployments.
Do we need to restart services immediately, or can we schedule maintenance?
If you are actively receiving BGP updates from untrusted or external peers, prioritize patching and testing within your maintenance window. Internal-only or well-controlled BGP environments may allow for more flexible scheduling, but do not delay unnecessarily given the high severity.
What should we do while waiting for a patch?
Restrict BGP peering to known, trusted sources using access control lists (ACLs) and firewall rules. Monitor FRRouting daemon stability and BGP session metrics closely. Consider temporarily disabling BGP on non-critical routers until patches are deployed and validated.
This analysis is provided for informational and educational purposes. SEC.co does not warrant the accuracy or completeness of this information. Organizations should verify all patch versions, compatibility, and applicability against official vendor advisories before deployment. No exploit code or attack tooling is included or implied. Always test patches in a non-production environment first. Consult your security team and vendor support for guidance specific to your infrastructure and risk profile. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2025-22424HIGHAndroid Local Privilege Escalation via Image Disclosure
- CVE-2026-0078HIGHAndroid Privilege Escalation via DevicePolicyManagerService Desync
- CVE-2026-10020HIGHChrome Android Sandbox Escape via Skia Input Validation Flaw
- CVE-2026-10021HIGHGoogle Chrome USB Validation Flaw – RCE Vulnerability Patch
- CVE-2026-10863HIGHMISP Correlations Query Ordering Vulnerability (CVSS 8.1)
- CVE-2026-10904HIGHChrome V8 Sandbox Escape Remote Code Execution
- CVE-2026-10911HIGHChrome Sandbox Escape Vulnerability (High Severity)
- CVE-2026-10917HIGHChrome Media Sandbox Escape Vulnerability (High CVSS 8.3)