CVE-2026-28532

· NIST NVD ↗

FRRouting before 10.5.3 contains an integer overflow vulnerability in seven OSPF Traffic Engineering and Segment Routing TLV parser functions where a uint16_t accumulator variable truncates uint32_t values returned by the TLV_SIZE() macro, causing the loop termination condition to fail while pointer advancement continues unchecked. Attackers with an established OSPF adjacency can send a crafted LS Update packet with a malicious Type 10 or Type 11 Opaque LSA to trigger out-of-bounds memory reads and crash all affected routers in the OSPF area or autonomous system.

MEDIUM
CVSS severity
6.5
CVSS base score
2026-04-30
Published

CWE codes

CWE-125CWE-190

Affected products

frrouting:frrouting

Sources