Bug 2484046 (CVE-2026-49943) - CVE-2026-49943 bird: BIRD Internet Routing Daemon: Denial of Service via stack-based buffer overflow in BGP AS_PATH processing
Summary: CVE-2026-49943 bird: BIRD Internet Routing Daemon: Denial of Service via stac...
Keywords:
Status: NEW
Alias: CVE-2026-49943
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2489778 2489779
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-02 18:01 UTC by OSIDB Bzimport
Modified: 2026-06-25 15:44 UTC (History)
5 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-02 18:01:43 UTC
CZ.NIC BIRD Internet Routing Daemon through 2.19.0 contains a stack-based buffer overflow in the BGP AS_PATH mask matching implementation in nest/a-path.c. The as_path_match() function uses a fixed-size stack array of 2048 + 1 pm_pos entries, while parse_path() expands AS_PATH segments from a received BGP UPDATE without enforcing a corresponding capacity limit. When RFC 8654 BGP Extended Messages are enabled and a BIRD filter evaluates an AS path mask expression such as "bgp_path ~ [= ... =]", an established BGP peer can send a long AS_PATH containing more than 2048 expanded ASNs. This causes parse_path()/as_path_match() to write beyond the fixed stack buffer, resulting in a crash of the daemon. NOTE: reportedly, the Supplier's position is that a fix is not being prioritized because all network operators should already be rejecting routes with unusually long attributes.


Note You need to log in before you can comment on or make changes to this bug.