FRRouting before 10.5.3 contains an integer overflow vulnerability in seven OSPF Traffic Engineering and Segment Routing TLV parser functions where a uint16_t accumulator variable truncates uint32_t values returned by the TLV_SIZE() macro, causing the loop termination condition to fail while pointer advancement continues unchecked. Attackers with an established OSPF adjacency can send a crafted LS Update packet with a malicious Type 10 or Type 11 Opaque LSA to trigger out-of-bounds memory reads and crash all affected routers in the OSPF area or autonomous system.
1.2.4-4build11.2.4-4ubuntu0.11.2.4-4ubuntu0.41.2.4-4ubuntu0.57.5.1-1.18.1-18.1-1ubuntu18.1-1ubuntu1.18.1-1ubuntu1.108.1-1ubuntu1.118.1-1ubuntu1.138.1-1ubuntu1.148.1-1ubuntu1.158.1-1ubuntu1.2+7 more8.4.4-1.1ubuntu18.4.4-1.1ubuntu38.4.4-1.1ubuntu48.4.4-1.1ubuntu58.4.4-1.1ubuntu68.4.4-1.1ubuntu6.18.4.4-1.1ubuntu6.28.4.4-1.1ubuntu6.38.4.4-1.1ubuntu6.48.4.4-1.1ubuntu6.5+1 more10.2.1-1ubuntu310.3-3ubuntu210.4.1-3ubuntu110.4.1-3ubuntu1.110.4.1-3ubuntu1.210.4.1-3ubuntu1.310.4.1-3ubuntu110.4.1-3ubuntu210.5.1-1ubuntu110.5.1-1ubuntu210.5.1-1ubuntu310.5.1-1ubuntu40.99.24.1-20.99.24.1-2ubuntu10.99.24.1-2ubuntu1.10.99.24.1-2ubuntu1.20.99.24.1-2ubuntu1.30.99.24.1-2ubuntu1.40.99.24.1-2ubuntu1.4+esm11.1.1-31.1.1-3ubuntu11.2.2-11.2.2-1ubuntu11.2.4-11.2.4-1ubuntu0.1~esm11.2.4-1ubuntu0.1~esm26.0.2-2build27.2-1ubuntu17.2-1ubuntu27.2.1-17.2.1-1ubuntu0.17.2.1-1ubuntu0.27.2.1-1ubuntu0.2+esm17.2.1-1ubuntu0.2+esm27.2.1-1ubuntu0.2+esm37.2.1-1ubuntu0.2+esm4Exploitability
AV:AAC:LAT:PPR:NUI:NVulnerable System
VC:NVI:NVA:HSubsequent System
SC:NSI:NSA:NCVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N