2481507 – (CVE-2026-48684) CVE-2026-48684 fastnetmon: out-of-bounds read in the NetFlow v9 options template parser

Bug 2481507 (CVE-2026-48684) - CVE-2026-48684 fastnetmon: out-of-bounds read in the NetFlow v9 options template parser

Summary: CVE-2026-48684 fastnetmon: out-of-bounds read in the NetFlow v9 options templ...

Keywords:
Status:	NEW
Alias:	CVE-2026-48684
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2482713 2482714
Blocks:
TreeView+	depends on / blocked

Reported:	2026-05-26 16:02 UTC by OSIDB Bzimport
Modified:	2026-06-10 13:42 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-05-26 16:02:19 UTC

FastNetMon Community Edition through 1.2.9 contains an out-of-bounds read in the NetFlow v9 options template parser. In process_netflow_v9_options_template() (src/netflow_plugin/netflow_v9_collector.cpp), the scope parsing loop (lines 224-229) iterates until scopes_offset reaches the attacker-controlled option_scope_length value, reading netflow9_template_flowset_record_t structures at each step. No bounds check validates that (zone_address + scopes_offset + sizeof(record)) stays within the flowset. The same issue affects the options field loop (lines 241-257) with option_length. Furthermore, option_scope_length is not validated to be a multiple of sizeof(netflow9_template_flowset_record_t), potentially causing misaligned reads. An attacker can trigger reads past the end of the UDP packet buffer.

Note You need to log in before you can comment on or make changes to this bug.