CVE-2026-48686
Publication date 26 May 2026
Last updated 18 June 2026
Ubuntu priority
Cvss 3 Severity Score
Description
FastNetMon Community Edition through 1.2.9 contains a stack-based buffer overflow in the BGP NLRI (Network Layer Reachability Information) decoder. The function decode_bgp_subnet_encoding_ipv4_raw() in src/bgp_protocol.cpp reads prefix_bit_length directly from the BGP packet (line 99) without validating it is <= 32 for IPv4 prefixes. This value is passed to how_much_bytes_we_need_for_storing_certain_subnet_mask() which computes ceil(prefix_bit_length / 8), returning up to 32 bytes for a prefix_bit_length of 255. The result is used as the length argument to memcpy() (line 106), which copies into a 4-byte uint32_t stack variable (prefix_ipv4). This causes a stack buffer overflow of up to 28 bytes, which can be exploited for arbitrary code execution. Additionally, the unvalidated prefix_bit_length is passed to convert_cidr_to_binary_netmask_local_function_copy() (line 111), where a shift of (32 - cidr) with cidr > 32 causes undefined behavior.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| fastnetmon | 26.04 LTS resolute |
Fixed 1.2.8+git20250911-2ubuntu0.1~esm1
|
| 24.04 LTS noble |
Fixed 1.2.6-1ubuntu0.1~esm1
|
|
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu Pro 30-day free trialSeverity score breakdown
CVSS version: CVSS v3.0
Base score
9.8 · Critical
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References
Other references
- https://www.cve.org/CVERecord?id=CVE-2026-48686
- https://lorikeetsecurity.com/blog/fastnetmon-cve-2026-48686-bgp-nlri-stack-overflow
- https://github.com/pavel-odintsov/fastnetmon/pull/1053
- https://github.com/pavel-odintsov/fastnetmon/commit/265a767635767d7a08391dbe7f98f750d2ea04d0
- https://github.com/pavel-odintsov/fastnetmon
- https://github.com/pavel-odintsov/fastnetmon/blob/master/src/bgp_protocol.cpp