Debian Frr vulnerabilities

CVE-2026-5107 [LOW] CVE-2026-5107: frr - A vulnerability has been found in FRRouting FRR up to 10.5.1. This affects the f... A vulnerability has been found in FRRouting FRR up to 10.5.1. This affects the function process_type2_route of the file bgpd/bgp_evpn.c of the component EVPN Type-2 Route Handler. The manipulation leads to improper access controls. The attack can be initiated remotely. The attack is considered to have high complexity. The exploitability is reported as difficult. The identi

CVE-2025-61107 [HIGH] CVE-2025-61107: frr - FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULL pointer... FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the show_vty_ext_pref_pref_sid function at ospf_ext.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted LSA Update packet. Scope: local bookworm: open bullseye: open forky: resolved (fixed in 10.5.1-3) sid: resolved (fixed in 10.5.1-3) tri

CVE-2025-61102 [HIGH] CVE-2025-61102: frr - FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULL pointer... FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the show_vty_ext_link_adj_sid function at ospf_ext.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted OSPF packet. Scope: local bookworm: open bullseye: open forky: resolved (fixed in 10.5.1-3) sid: resolved (fixed in 10.5.1-3) trixie: op

CVE-2025-61100 [HIGH] CVE-2025-61100: frr - FRRouting/frr from v2.0 through v10.4.1 was discovered to contain a NULL pointer... FRRouting/frr from v2.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the ospf_opaque_lsa_dump function at ospf_opaque.c. This vulnerability allows attackers to cause a Denial of Service (DoS) under specific malformed LSA conditions. Scope: local bookworm: open bullseye: open forky: resolved (fixed in 10.5.1-3) sid: resolved (fixed in 10.5.1-3

CVE-2025-61106 [HIGH] CVE-2025-61106: frr - FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULL pointer... FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the show_vty_ext_pref_pref_sid function at ospf_ext.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted OSPF packet. Scope: local bookworm: open bullseye: open forky: resolved (fixed in 10.5.1-3) sid: resolved (fixed in 10.5.1-3) trixie: o

CVE-2025-61103 [HIGH] CVE-2025-61103: frr - FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULL pointer... FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the show_vty_ext_link_lan_adj_sid function at ospf_ext.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted OSPF packet. Scope: local bookworm: open bullseye: open forky: resolved (fixed in 10.5.1-3) sid: resolved (fixed in 10.5.1-3) trixie

CVE-2025-61099 [HIGH] CVE-2025-61099: frr - FRRouting/frr from v2.0 through v10.4.1 was discovered to contain a NULL pointer... FRRouting/frr from v2.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the opaque_info_detail function at ospf_opaque.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted LS Update packet. Scope: local bookworm: open bullseye: open forky: resolved (fixed in 10.5.1-3) sid: resolved (fixed in 10.5.1-3) trixie: o

CVE-2025-61101 [HIGH] CVE-2025-61101: frr - FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULL pointer... FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the show_vty_ext_link_rmt_itf_addr function at ospf_ext.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted OSPF packet. Scope: local bookworm: open bullseye: open forky: resolved (fixed in 10.5.1-3) sid: resolved (fixed in 10.5.1-3) trixi

CVE-2025-61105 [HIGH] CVE-2025-61105: frr - FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULL pointer... FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the show_vty_link_info function at ospf_ext.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted OSPF packet. Scope: local bookworm: open bullseye: open forky: resolved (fixed in 10.5.1-3) sid: resolved (fixed in 10.5.1-3) trixie: open

CVE-2025-61104 [HIGH] CVE-2025-61104: frr - FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULL pointer... FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the show_vty_unknown_tlv function at ospf_ext.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted OSPF packet. Scope: local bookworm: open bullseye: open forky: resolved (fixed in 10.5.1-3) sid: resolved (fixed in 10.5.1-3) trixie: open

CVE-2024-44070 [HIGH] CVE-2024-44070: frr - An issue was discovered in FRRouting (FRR) through 10.1. bgp_attr_encap in bgpd/... An issue was discovered in FRRouting (FRR) through 10.1. bgp_attr_encap in bgpd/bgp_attr.c does not check the actual remaining stream length before taking the TLV value. Scope: local bookworm: open bullseye: resolved (fixed in 7.5.1-1.1+deb11u3) forky: resolved (fixed in 10.1-0.2) sid: resolved (fixed in 10.1-0.2) trixie: resolved (fixed in 10.1-0.2)

CVE-2024-55553 [HIGH] CVE-2024-55553: frr - In FRRouting (FRR) before 10.3 from 6.0 onward, all routes are re-validated if t... In FRRouting (FRR) before 10.3 from 6.0 onward, all routes are re-validated if the total size of an update received via RTR exceeds the internal socket's buffer size, default 4K on most OSes. An attacker can use this to trigger re-parsing of the RIB for FRR routers using RTR by causing more than this number of updates during an update interval (usually 30 minutes). Addi

CVE-2024-34088 [HIGH] CVE-2024-34088: frr - In FRRouting (FRR) through 9.1, it is possible for the get_edge() function in os... In FRRouting (FRR) through 9.1, it is possible for the get_edge() function in ospf_te.c in the OSPF daemon to return a NULL pointer. In cases where calling functions do not handle the returned NULL value, the OSPF daemon crashes, leading to denial of service. Scope: local bookworm: open bullseye: resolved forky: resolved (fixed in 10.0.1-0.1) sid: resolved (fixed in 10.

CVE-2024-31951 [MEDIUM] CVE-2024-31951: frr - In the Opaque LSA Extended Link parser in FRRouting (FRR) through 9.1, there can... In the Opaque LSA Extended Link parser in FRRouting (FRR) through 9.1, there can be a buffer overflow and daemon crash in ospf_te_parse_ext_link for OSPF LSA packets during an attempt to read Segment Routing Adjacency SID subTLVs (lengths are not validated). Scope: local bookworm: open bullseye: resolved forky: resolved (fixed in 10.0.1-0.1) sid: resolved (fixed in 10

CVE-2024-31948 [MEDIUM] CVE-2024-31948: frr - In FRRouting (FRR) through 9.1, an attacker using a malformed Prefix SID attribu... In FRRouting (FRR) through 9.1, an attacker using a malformed Prefix SID attribute in a BGP UPDATE packet can cause the bgpd daemon to crash. Scope: local bookworm: open bullseye: resolved (fixed in 7.5.1-1.1+deb11u3) forky: resolved (fixed in 10.0.1-0.1) sid: resolved (fixed in 10.0.1-0.1) trixie: resolved (fixed in 10.0.1-0.1)

CVE-2024-31950 [MEDIUM] CVE-2024-31950: frr - In FRRouting (FRR) through 9.1, there can be a buffer overflow and daemon crash ... In FRRouting (FRR) through 9.1, there can be a buffer overflow and daemon crash in ospf_te_parse_ri for OSPF LSA packets during an attempt to read Segment Routing subTLVs (their size is not validated). Scope: local bookworm: open bullseye: resolved forky: resolved (fixed in 10.0.1-0.1) sid: resolved (fixed in 10.0.1-0.1) trixie: resolved (fixed in 10.0.1-0.1)

CVE-2024-27913 [MEDIUM] CVE-2024-27913: frr - ospf_te_parse_te in ospfd/ospf_te.c in FRRouting (FRR) through 9.1 allows remote... ospf_te_parse_te in ospfd/ospf_te.c in FRRouting (FRR) through 9.1 allows remote attackers to cause a denial of service (ospfd daemon crash) via a malformed OSPF LSA packet, because of an attempted access to a missing attribute field. Scope: local bookworm: open bullseye: resolved forky: resolved (fixed in 9.1-0.1) sid: resolved (fixed in 9.1-0.1) trixie: resolved (fi

CVE-2024-31949 [MEDIUM] CVE-2024-31949: frr - In FRRouting (FRR) through 9.1, an infinite loop can occur when receiving a MP/G... In FRRouting (FRR) through 9.1, an infinite loop can occur when receiving a MP/GR capability as a dynamic capability because malformed data results in a pointer not advancing. Scope: local bookworm: open bullseye: resolved (fixed in 7.5.1-1.1+deb11u3) forky: resolved (fixed in 10.0.1-0.1) sid: resolved (fixed in 10.0.1-0.1) trixie: resolved (fixed in 10.0.1-0.1)

CVE-2023-41360 [CRITICAL] CVE-2023-41360: frr - An issue was discovered in FRRouting FRR through 9.0. bgpd/bgp_packet.c can read... An issue was discovered in FRRouting FRR through 9.0. bgpd/bgp_packet.c can read the initial byte of the ORF header in an ahead-of-stream situation. Scope: local bookworm: resolved (fixed in 8.4.4-1.1~deb12u1) bullseye: resolved forky: resolved (fixed in 8.4.4-1.1) sid: resolved (fixed in 8.4.4-1.1) trixie: resolved (fixed in 8.4.4-1.1)

CVE-2023-38406 [CRITICAL] CVE-2023-38406: frr - bgpd/bgp_flowspec.c in FRRouting (FRR) before 8.4.3 mishandles an nlri length of... bgpd/bgp_flowspec.c in FRRouting (FRR) before 8.4.3 mishandles an nlri length of zero, aka a "flowspec overflow." Scope: local bookworm: resolved (fixed in 8.4.4-1.1~deb12u1) bullseye: resolved (fixed in 7.5.1-1.1+deb11u3) forky: resolved (fixed in 8.4.4-1) sid: resolved (fixed in 8.4.4-1) trixie: resolved (fixed in 8.4.4-1)