MEDIUM 6.5

CVE-2026-46433: lldpd Heap Buffer Over-Read DoS Vulnerability

lldpd, a Linux daemon that implements LLDP (Link Layer Discovery Protocol), contains a heap buffer over-read flaw in its VLAN tag handling code. When processing certain network frames that match the network interface's maximum transmission unit (MTU) size, the daemon reads 4 bytes beyond an allocated memory buffer. This can disrupt the daemon's operation, though it does not directly enable code execution or data theft. The vulnerability affects versions before 1.0.22 and requires network access to trigger.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-125
Affected products
1 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

lldpd is an implementation of IEEE 802.1ab (LLDP). Prior to version 1.0.22, lldpd_decode() in src/daemon/lldpd.c strips 802.1Q VLAN tags from received Ethernet frames by calling memmove() to shift the frame payload 4 bytes left. The third argument (byte count) is s - 2 * ETHER_ADDR_LEN but should be s - 2 * ETHER_ADDR_LEN - 4, causing a 4-byte heap buffer over-read past the malloc(h_mtu) allocation when the received frame size equals the interface MTU. This issue has been patched in version 1.0.22.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

In lldpd versions prior to 1.0.22, the lldpd_decode() function in src/daemon/lldpd.c processes incoming Ethernet frames and removes 802.1Q VLAN tags (4-byte headers that identify virtual LANs). The removal is performed using memmove() to shift the remaining frame payload left by 4 bytes. However, the function calculates the byte count argument to memmove() as 's - 2 * ETHER_ADDR_LEN' when it should be 's - 2 * ETHER_ADDR_LEN - 4'. This off-by-4 calculation causes the function to read 4 bytes beyond the bounds of the heap-allocated buffer (sized via malloc(h_mtu)) when a received frame is exactly MTU-sized. This is classified as a CWE-125 out-of-bounds read.

Business impact

The over-read flaw can cause lldpd to crash, disrupting LLDP discovery services on affected network infrastructure. For environments that rely on LLDP for network device discovery, topology mapping, and network management automation, an unstable daemon creates operational risk. Organizations using lldpd for network inventory or topology discovery may experience outages. However, the vulnerability does not provide remote code execution, authentication bypass, or confidentiality breaches, limiting its direct business impact to availability and operational stability.

Affected systems

lldpd versions prior to 1.0.22 are vulnerable. The vulnerability is present on systems running older builds of lldpd. Linux distributions and embedded network devices that ship lldpd should verify their bundled version. Systems running version 1.0.22 or later are not affected.

Exploitability

The flaw requires an attacker on the same network segment (adjacent network) to craft and transmit a malformed Ethernet frame matching the target interface's MTU size. No authentication or user interaction is necessary; the attack is triggered upon frame receipt. The technical bar for exploitation is moderate—an attacker must generate a correctly-sized frame, but this is straightforward with standard network tools. However, practical exploitation is limited to denial-of-service impact (daemon crash), as the over-read does not enable information disclosure or code execution. CVSS 3.1 scores this at 6.5 (MEDIUM) reflecting the adjacency requirement and availability-only impact.

Remediation

Upgrade lldpd to version 1.0.22 or later. The patch corrects the memmove() byte count calculation to properly account for the 4-byte VLAN tag. Users should check their distribution's package repository for updated builds or rebuild from the upstream project.

Patch guidance

Upgrade to lldpd version 1.0.22 or later. Verify the version running on your systems using 'lldpd -v' or equivalent package manager queries. Most Linux distributions should provide 1.0.22+ through their stable repositories. If running lldpd on embedded network devices or custom distributions, consult your vendor's advisory for patched binaries. In environments where immediate patching is not feasible, isolate affected systems or restrict network access from untrusted adjacent networks as a temporary measure.

Detection guidance

Monitor system logs and dmesg output for lldpd crashes or core dumps, which may indicate exploitation attempts. If your monitoring infrastructure captures network traffic, look for oversized or malformed LLDP frames (Ethertype 0x88cc) on interfaces running vulnerable lldpd versions. Most modern network visibility platforms can filter for LLDP traffic; correlate traffic anomalies with daemon restart timestamps. Also monitor for frequent lldpd process restarts via systemd journal or syslog, which could indicate repeated triggering of the flaw.

Why prioritize this

While CVSS 3.1 assigns this a MEDIUM score (6.5), organizations should prioritize patching based on their reliance on lldpd for network operations. For networks where LLDP is critical to topology discovery, automation, or monitoring, service continuity is important. The vulnerability is neither remotely exploitable nor present on public internet-facing systems (it requires adjacency), so it presents lower absolute risk than remote code execution flaws. However, environments with lldpd on critical infrastructure or network management systems should patch promptly to avoid availability disruptions. Less critical deployments can follow standard change windows.

Risk score, explained

CVSS 3.1 assigns 6.5 (MEDIUM) due to: Attack Vector: Adjacent (AV:A) – attacker must be on the same network segment; Attack Complexity: Low (AC:L) – no special conditions required; Privileges Required: None (PR:N) – unauthenticated attack; User Interaction: None (UI:N) – automatic upon frame receipt; Confidentiality: None (C:N) – no data exposure; Integrity: None (I:N) – no data modification; Availability: High (A:H) – crash impacts service availability. The score reflects local-network reachability and availability impact, with no escalation to code execution or broader system compromise.

Frequently asked questions

Does this vulnerability allow remote code execution?

No. The heap over-read causes denial of service (daemon crash) but does not enable arbitrary code execution. An attacker cannot read or modify system memory in a way that would lead to RCE.

Can this be exploited from the internet?

No. The vulnerability requires the attacker to be on the same network segment (LAN) as the target interface. The attack cannot traverse routers or be launched over the internet.

What should I do if I cannot patch immediately?

Monitor logs for lldpd crashes and consider disabling LLDP on interfaces that do not require it. In high-security environments, restrict network access from untrusted adjacent segments or physically isolate affected systems until patching is possible.

How do I verify whether my system is vulnerable?

Check your lldpd version using 'lldpd -v' or your package manager. Any version before 1.0.22 is affected. Confirm by reviewing release notes or the upstream repository for version 1.0.22 availability on your distribution.

This analysis is provided for informational purposes and represents a reasonable interpretation of the CVE record as of the publication date. Consult the official lldpd project release notes and your vendor's security advisories for authoritative guidance on patch availability and affected versions. Organizations should conduct their own risk assessment based on their specific deployment, network topology, and business context. No exploit code or weaponized proof-of-concept is provided herein. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).