FRRouting before 10.5.3 contains an integer overflow vulnerability in seven OSPF Traffic Engineering and Segment Routing TLV parser functions where a uint16_t accumulator variable truncates uint32_t values returned by the TLV_SIZE() macro, causing the loop termination condition to fail while pointer advancement continues unchecked. Attackers with an established OSPF adjacency can send a crafted LS Update packet with a malicious Type 10 or Type 11 Opaque LSA to trigger out-of-bounds memory reads and crash all affected routers in the OSPF area or autonomous system.
References
| Link | Resource |
|---|---|
| https://github.com/FRRouting/frr/commit/f098decf02987fbf1c891766c1516ac832adadfd | Patch |
| https://github.com/FRRouting/frr/pull/21002 | Issue Tracking Patch |
| https://github.com/FRRouting/frr/releases/tag/frr-10.5.3 | Release Notes |
| https://www.vulncheck.com/advisories/frrouting-integer-overflow-in-ospf-tlv-parser-functions | Third Party Advisory |
Configurations
History
01 May 2026, 17:48
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:frrouting:frrouting:*:*:*:*:*:*:*:* | |
| References | () https://github.com/FRRouting/frr/commit/f098decf02987fbf1c891766c1516ac832adadfd - Patch | |
| References | () https://github.com/FRRouting/frr/pull/21002 - Issue Tracking, Patch | |
| References | () https://github.com/FRRouting/frr/releases/tag/frr-10.5.3 - Release Notes | |
| References | () https://www.vulncheck.com/advisories/frrouting-integer-overflow-in-ospf-tlv-parser-functions - Third Party Advisory | |
| First Time |
Frrouting frrouting
Frrouting |
30 Apr 2026, 21:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-04-30 21:16
Updated : 2026-05-01 17:48
NVD link : CVE-2026-28532
Mitre link : CVE-2026-28532
CVE.ORG link : CVE-2026-28532
JSON object : View
Products Affected
frrouting
- frrouting