Vulnerability Details CVE-2026-48691
FastNetMon Community Edition through 1.2.9 contains an integer overflow in the BGP AS_PATH attribute encoder. In src/bgp_protocol.hpp, the IPv4UnicastAnnounce::get_attributes() function computes attribute_length as 'sizeof(bgp_as_path_segment_element_t) + this->as_path_asns.size() * sizeof(uint32_t)' and stores it in a uint8_t field (line 600-605). Since uint8_t can only hold values 0-255, an AS_PATH containing more than 63 ASNs (2 + 64*4 = 258 > 255) causes silent truncation. The truncated length is used for buffer sizing, while the actual data written is the full untruncated amount, resulting in a heap buffer overflow. Similarly, the path_segment_length field at line 621 is also uint8_t, truncating with more than 255 ASNs.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 17.4%
CVSS Severity
CVSS v3 Score 9.8
References
Products affected by CVE-2026-48691
-
cpe:2.3:a:pavel-odintsov:fastnetmon:1.0.0
-
cpe:2.3:a:pavel-odintsov:fastnetmon:1.1.0
-
cpe:2.3:a:pavel-odintsov:fastnetmon:1.1.1
-
cpe:2.3:a:pavel-odintsov:fastnetmon:1.1.2
-
cpe:2.3:a:pavel-odintsov:fastnetmon:1.1.3
-
cpe:2.3:a:pavel-odintsov:fastnetmon:1.1.4
-
cpe:2.3:a:pavel-odintsov:fastnetmon:1.1.5
-
cpe:2.3:a:pavel-odintsov:fastnetmon:1.1.6
-
cpe:2.3:a:pavel-odintsov:fastnetmon:1.1.7
-
cpe:2.3:a:pavel-odintsov:fastnetmon:1.1.8
-
cpe:2.3:a:pavel-odintsov:fastnetmon:1.1.9
-
cpe:2.3:a:pavel-odintsov:fastnetmon:1.2.0
-
cpe:2.3:a:pavel-odintsov:fastnetmon:1.2.1
-
cpe:2.3:a:pavel-odintsov:fastnetmon:1.2.2
-
cpe:2.3:a:pavel-odintsov:fastnetmon:1.2.3
-
cpe:2.3:a:pavel-odintsov:fastnetmon:1.2.4
-
cpe:2.3:a:pavel-odintsov:fastnetmon:1.2.5
-
cpe:2.3:a:pavel-odintsov:fastnetmon:1.2.6
-
cpe:2.3:a:pavel-odintsov:fastnetmon:1.2.7
-
cpe:2.3:a:pavel-odintsov:fastnetmon:1.2.8