CVE-2026-46433: lldpd Heap Buffer Over-Read DoS Vulnerability
lldpd, a Linux daemon that implements LLDP (Link Layer Discovery Protocol), contains a heap buffer over-read flaw in its VLAN tag handling code. When processing certain network frames that match the network interface's maximum transmission unit (MTU) size, the daemon reads 4 bytes beyond an allocated memory buffer. This can disrupt the daemon's operation, though it does not directly enable code execution or data theft. The vulnerability affects versions before 1.0.22 and requires network access to trigger.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-125
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
lldpd is an implementation of IEEE 802.1ab (LLDP). Prior to version 1.0.22, lldpd_decode() in src/daemon/lldpd.c strips 802.1Q VLAN tags from received Ethernet frames by calling memmove() to shift the frame payload 4 bytes left. The third argument (byte count) is s - 2 * ETHER_ADDR_LEN but should be s - 2 * ETHER_ADDR_LEN - 4, causing a 4-byte heap buffer over-read past the malloc(h_mtu) allocation when the received frame size equals the interface MTU. This issue has been patched in version 1.0.22.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
In lldpd versions prior to 1.0.22, the lldpd_decode() function in src/daemon/lldpd.c processes incoming Ethernet frames and removes 802.1Q VLAN tags (4-byte headers that identify virtual LANs). The removal is performed using memmove() to shift the remaining frame payload left by 4 bytes. However, the function calculates the byte count argument to memmove() as 's - 2 * ETHER_ADDR_LEN' when it should be 's - 2 * ETHER_ADDR_LEN - 4'. This off-by-4 calculation causes the function to read 4 bytes beyond the bounds of the heap-allocated buffer (sized via malloc(h_mtu)) when a received frame is exactly MTU-sized. This is classified as a CWE-125 out-of-bounds read.
Business impact
The over-read flaw can cause lldpd to crash, disrupting LLDP discovery services on affected network infrastructure. For environments that rely on LLDP for network device discovery, topology mapping, and network management automation, an unstable daemon creates operational risk. Organizations using lldpd for network inventory or topology discovery may experience outages. However, the vulnerability does not provide remote code execution, authentication bypass, or confidentiality breaches, limiting its direct business impact to availability and operational stability.
Affected systems
lldpd versions prior to 1.0.22 are vulnerable. The vulnerability is present on systems running older builds of lldpd. Linux distributions and embedded network devices that ship lldpd should verify their bundled version. Systems running version 1.0.22 or later are not affected.
Exploitability
The flaw requires an attacker on the same network segment (adjacent network) to craft and transmit a malformed Ethernet frame matching the target interface's MTU size. No authentication or user interaction is necessary; the attack is triggered upon frame receipt. The technical bar for exploitation is moderate—an attacker must generate a correctly-sized frame, but this is straightforward with standard network tools. However, practical exploitation is limited to denial-of-service impact (daemon crash), as the over-read does not enable information disclosure or code execution. CVSS 3.1 scores this at 6.5 (MEDIUM) reflecting the adjacency requirement and availability-only impact.
Remediation
Upgrade lldpd to version 1.0.22 or later. The patch corrects the memmove() byte count calculation to properly account for the 4-byte VLAN tag. Users should check their distribution's package repository for updated builds or rebuild from the upstream project.
Patch guidance
Upgrade to lldpd version 1.0.22 or later. Verify the version running on your systems using 'lldpd -v' or equivalent package manager queries. Most Linux distributions should provide 1.0.22+ through their stable repositories. If running lldpd on embedded network devices or custom distributions, consult your vendor's advisory for patched binaries. In environments where immediate patching is not feasible, isolate affected systems or restrict network access from untrusted adjacent networks as a temporary measure.
Detection guidance
Monitor system logs and dmesg output for lldpd crashes or core dumps, which may indicate exploitation attempts. If your monitoring infrastructure captures network traffic, look for oversized or malformed LLDP frames (Ethertype 0x88cc) on interfaces running vulnerable lldpd versions. Most modern network visibility platforms can filter for LLDP traffic; correlate traffic anomalies with daemon restart timestamps. Also monitor for frequent lldpd process restarts via systemd journal or syslog, which could indicate repeated triggering of the flaw.
Why prioritize this
While CVSS 3.1 assigns this a MEDIUM score (6.5), organizations should prioritize patching based on their reliance on lldpd for network operations. For networks where LLDP is critical to topology discovery, automation, or monitoring, service continuity is important. The vulnerability is neither remotely exploitable nor present on public internet-facing systems (it requires adjacency), so it presents lower absolute risk than remote code execution flaws. However, environments with lldpd on critical infrastructure or network management systems should patch promptly to avoid availability disruptions. Less critical deployments can follow standard change windows.
Risk score, explained
CVSS 3.1 assigns 6.5 (MEDIUM) due to: Attack Vector: Adjacent (AV:A) – attacker must be on the same network segment; Attack Complexity: Low (AC:L) – no special conditions required; Privileges Required: None (PR:N) – unauthenticated attack; User Interaction: None (UI:N) – automatic upon frame receipt; Confidentiality: None (C:N) – no data exposure; Integrity: None (I:N) – no data modification; Availability: High (A:H) – crash impacts service availability. The score reflects local-network reachability and availability impact, with no escalation to code execution or broader system compromise.
Frequently asked questions
Does this vulnerability allow remote code execution?
No. The heap over-read causes denial of service (daemon crash) but does not enable arbitrary code execution. An attacker cannot read or modify system memory in a way that would lead to RCE.
Can this be exploited from the internet?
No. The vulnerability requires the attacker to be on the same network segment (LAN) as the target interface. The attack cannot traverse routers or be launched over the internet.
What should I do if I cannot patch immediately?
Monitor logs for lldpd crashes and consider disabling LLDP on interfaces that do not require it. In high-security environments, restrict network access from untrusted adjacent segments or physically isolate affected systems until patching is possible.
How do I verify whether my system is vulnerable?
Check your lldpd version using 'lldpd -v' or your package manager. Any version before 1.0.22 is affected. Confirm by reviewing release notes or the upstream repository for version 1.0.22 availability on your distribution.
This analysis is provided for informational purposes and represents a reasonable interpretation of the CVE record as of the publication date. Consult the official lldpd project release notes and your vendor's security advisories for authoritative guidance on patch availability and affected versions. Organizations should conduct their own risk assessment based on their specific deployment, network topology, and business context. No exploit code or weaponized proof-of-concept is provided herein. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2025-70101MEDIUMlwext4 1.0.0 Out-of-Bounds Read Denial of Service
- CVE-2026-10305MEDIUMOut-of-Bounds Read in Samsung rlottie Animation Library
- CVE-2026-10979MEDIUMChrome ANGLE Out-of-Bounds Read Memory Disclosure Vulnerability
- CVE-2026-10985MEDIUMOut-of-Bounds Read in Google Chrome Skia – Data Leakage Vulnerability
- CVE-2026-10998MEDIUMChrome Media Out-of-Bounds Memory Read Vulnerability
- CVE-2026-10999MEDIUMGoogle Chrome ANGLE Integer Overflow Information Disclosure
- CVE-2026-11004MEDIUMChrome ANGLE Out-of-Bounds Read Memory Disclosure
- CVE-2026-11005MEDIUMOut-of-Bounds Read in Chrome ANGLE on Windows