MEDIUM 6.3

CVE-2026-49943: CZ.NIC BIRD Stack Buffer Overflow in BGP AS_PATH Handling

CZ.NIC BIRD Internet Routing Daemon versions up to 2.19.0 contain a stack-based buffer overflow vulnerability in its BGP AS_PATH filtering logic. When BIRD processes BGP UPDATE messages containing exceptionally long AS_PATH attributes—particularly when RFC 8654 Extended Messages are enabled—a mismatch between the fixed buffer size and the actual incoming data can cause the daemon to crash. An authenticated BGP peer can trigger this by sending a specially crafted UPDATE with an AS_PATH longer than what the code expects, leading to denial of service of the routing daemon.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H
Weaknesses (CWE)
CWE-121
Affected products
0 configuration(s)
Published / Modified
2026-06-02 / 2026-06-17

NVD description (verbatim)

CZ.NIC BIRD Internet Routing Daemon through 2.19.0 contains a stack-based buffer overflow in the BGP AS_PATH mask matching implementation in nest/a-path.c. The as_path_match() function uses a fixed-size stack array of 2048 + 1 pm_pos entries, while parse_path() expands AS_PATH segments from a received BGP UPDATE without enforcing a corresponding capacity limit. When RFC 8654 BGP Extended Messages are enabled and a BIRD filter evaluates an AS path mask expression such as "bgp_path ~ [= ... =]", an established BGP peer can send a long AS_PATH containing more than 2048 expanded ASNs. This causes parse_path()/as_path_match() to write beyond the fixed stack buffer, resulting in a crash of the daemon. NOTE: reportedly, the Supplier's position is that a fix is not being prioritized because all network operators should already be rejecting routes with unusually long attributes.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in nest/a-path.c within the as_path_match() function, which uses a fixed-size stack array dimensioned for 2048 + 1 ASN entries. The parse_path() function expands AS_PATH segments from received BGP UPDATE messages without enforcing a corresponding upper bound. When RFC 8654 BGP Extended Messages are enabled and a BIRD filter evaluates an AS path mask expression (e.g., "bgp_path ~ [= ... =]"), an authenticated peer can transmit a BGP UPDATE containing more than 2048 expanded Autonomous System Numbers. This causes out-of-bounds writes on the stack, corrupting adjacent memory and crashing the daemon. The vulnerability is classified as CWE-121 (Stack-based Buffer Overflow).

Business impact

BIRD daemon crashes result in immediate loss of BGP routing functionality, disrupting network convergence and potentially isolating affected AS segments. This is particularly severe for networks using BIRD in production routing roles (e.g., ISPs, large enterprises, IXPs). Recovery requires manual daemon restart, during which BGP adjacencies are lost and traffic reroutes may be delayed or suboptimal. Organizations relying on BIRD for dynamic routing to multiple upstream providers or transit customers face outages until the daemon is restored.

Affected systems

CZ.NIC BIRD Internet Routing Daemon through version 2.19.0 is affected when RFC 8654 BGP Extended Messages support is enabled (a feature increasingly common in modern deployments to support larger BGP attribute sets). Any BIRD instance exposing a BGP interface to untrusted or insufficiently filtered external peers is at risk. Internal deployments with strict AS_PATH filtering and trusted peer lists face lower practical risk.

Exploitability

Exploitation requires an authenticated BGP session with the affected BIRD daemon. An attacker cannot trigger the overflow via anonymous network packets; they must establish a valid BGP neighbor relationship. This requirement elevates the attack complexity, as BGP peering typically occurs between known network operators who often apply upstream filtering. However, in environments with open peering policies, compromised peer routers, or misconfigured access controls, the threshold for exploitation is relatively low. No interaction beyond a single malicious BGP UPDATE message is required to crash the daemon.

Remediation

Upgrade CZ.NIC BIRD to a patched version addressing the AS_PATH buffer overflow—verify the specific version against the vendor advisory. Organizations unable to patch immediately should implement layer-4 access controls restricting BGP sessions to a trusted whitelist of peer AS numbers and network blocks. Disable RFC 8654 Extended Messages if not operationally required, reducing the attack surface, though this may limit support for newer BGP features. Monitor BGP session stability and daemon logs for unexpected restarts.

Patch guidance

Consult the official CZ.NIC BIRD project repository and release notes for the next available version after 2.19.0 that addresses CVE-2026-49943. Patch deployment should be tested in a staging environment first to validate filter expressions and BGP adjacency stability. Coordinate patching with maintenance windows to minimize routing churn. If extended message support is not essential for your deployment, consider disabling it during the transition period to reduce risk exposure.

Detection guidance

Monitor for unexpected BIRD daemon restarts or crashes, particularly correlating with BGP UPDATE message receipt from external peers. Enable verbose BGP logging to capture incoming UPDATE attributes, focusing on AS_PATH length and segment count. Alert on any AS_PATH attribute exceeding 1024 ASNs or UPDATE messages significantly larger than typical operational baselines. Network-level detection is limited; focus on endpoint logging of daemon state changes and BGP session state transitions. Correlate crashes with timestamps of suspected malicious peer communication if forensic data is available.

Why prioritize this

This vulnerability carries a CVSS 3.1 score of 6.3 (Medium) due to the requirement for authenticated access and limited scope of impact (denial of service only, no code execution or data leak). However, the practical severity is elevated for networks where BIRD is a critical routing component. Prioritization should reflect your infrastructure's reliance on BIRD relative to redundancy and failover strategies. Networks with single-point-of-failure BIRD deployments should treat this as high priority; those with full redundancy may schedule patching as routine maintenance.

Risk score, explained

The CVSS 6.3 reflects network-adjacent attack vector, high complexity (BGP peering required), low privilege assumption (authenticated peer), and high availability impact (crash). The score does not account for organizational factors such as BIRD's criticality in your topology or the likelihood of receiving long AS_PATH attributes in your peering profile. Organizations with strict incoming filter policies and geographically isolated peering may see reduced real-world risk; those accepting routes from public exchanges or high-peer-count networks face elevated exposure.

Frequently asked questions

Do I need RFC 8654 Extended Messages enabled to be vulnerable?

Yes. The overflow is specifically triggered when Extended Messages are enabled and a filter evaluates an AS_PATH mask expression. If your BIRD configuration does not enable RFC 8654 and does not use AS_PATH matching in filters, the attack vector is not present. However, verify your configuration explicitly rather than assuming defaults, as this feature may be enabled by default in newer BIRD releases.

Can this vulnerability be exploited by unauthenticated attackers?

No. The attacker must establish a valid BGP session (which requires a configured neighbor relationship and successful BGP OPEN/KEEPALIVE handshake). Unauthenticated network traffic cannot trigger the overflow. This requirement significantly reduces the attack surface but does not eliminate risk in environments with open peering policies or compromised peer routers.

Why hasn't CZ.NIC prioritized a fix?

According to the vendor, the expectation is that network operators should already be rejecting or rate-limiting routes with unusually long AS_PATH attributes as a matter of operational best practice. This reflects the perspective that BGP route validation and attribute filtering are the operator's responsibility. However, relying solely on peer filtering introduces operational complexity and risk if filtering policies are misconfigured or if a peer is inadvertently misconfigured to accept invalid routes.

If BIRD crashes, how long until automatic recovery?

BIRD does not auto-restart by default after a crash. You must either manually restart the daemon or use external process supervision (e.g., systemd, supervisor, or custom monitoring scripts). Organizations should implement automated restart logic and alerting to minimize recovery time. Test your restart procedures in advance to ensure BGP convergence occurs within your SLA requirements.

This analysis is provided for informational purposes. Security decisions should incorporate your organization's specific topology, traffic patterns, and risk tolerance. Verify all patch version numbers and remediation steps against official CZ.NIC advisories before deployment. No exploit code or weaponized proof-of-concept is provided. Test all patches in non-production environments first. This vulnerability requires authenticated access; review your BGP peering policies and filtering rules to assess exposure in your network. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).