Vulnerability Details CVE-2026-48686
FastNetMon Community Edition through 1.2.9 contains a stack-based buffer overflow in the BGP NLRI (Network Layer Reachability Information) decoder. The function decode_bgp_subnet_encoding_ipv4_raw() in src/bgp_protocol.cpp reads prefix_bit_length directly from the BGP packet (line 99) without validating it is <= 32 for IPv4 prefixes. This value is passed to how_much_bytes_we_need_for_storing_certain_subnet_mask() which computes ceil(prefix_bit_length / 8), returning up to 32 bytes for a prefix_bit_length of 255. The result is used as the length argument to memcpy() (line 106), which copies into a 4-byte uint32_t stack variable (prefix_ipv4). This causes a stack buffer overflow of up to 28 bytes, which can be exploited for arbitrary code execution. Additionally, the unvalidated prefix_bit_length is passed to convert_cidr_to_binary_netmask_local_function_copy() (line 111), where a shift of (32 - cidr) with cidr > 32 causes undefined behavior.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 9.9%
CVSS Severity
CVSS v3 Score 9.8
References
Products affected by CVE-2026-48686
-
cpe:2.3:a:pavel-odintsov:fastnetmon:1.0.0
-
cpe:2.3:a:pavel-odintsov:fastnetmon:1.1.0
-
cpe:2.3:a:pavel-odintsov:fastnetmon:1.1.1
-
cpe:2.3:a:pavel-odintsov:fastnetmon:1.1.2
-
cpe:2.3:a:pavel-odintsov:fastnetmon:1.1.3
-
cpe:2.3:a:pavel-odintsov:fastnetmon:1.1.4
-
cpe:2.3:a:pavel-odintsov:fastnetmon:1.1.5
-
cpe:2.3:a:pavel-odintsov:fastnetmon:1.1.6
-
cpe:2.3:a:pavel-odintsov:fastnetmon:1.1.7
-
cpe:2.3:a:pavel-odintsov:fastnetmon:1.1.8
-
cpe:2.3:a:pavel-odintsov:fastnetmon:1.1.9
-
cpe:2.3:a:pavel-odintsov:fastnetmon:1.2.0
-
cpe:2.3:a:pavel-odintsov:fastnetmon:1.2.1
-
cpe:2.3:a:pavel-odintsov:fastnetmon:1.2.2
-
cpe:2.3:a:pavel-odintsov:fastnetmon:1.2.3
-
cpe:2.3:a:pavel-odintsov:fastnetmon:1.2.4
-
cpe:2.3:a:pavel-odintsov:fastnetmon:1.2.5
-
cpe:2.3:a:pavel-odintsov:fastnetmon:1.2.6
-
cpe:2.3:a:pavel-odintsov:fastnetmon:1.2.7
-
cpe:2.3:a:pavel-odintsov:fastnetmon:1.2.8