frrouting 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
公開された問題は vendor risk memory corruption、vendor risk input validation, and パス処理の欠陥 に関連することが多く、vendor surface production workloads and vendor surface software deployment の文脈で アプリケーションクラッシュ and vendor impact unexpected behavior などの暴露リスクを伴う場合があります。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2026-37458 | Missing input validation in the MP_REACH_NLRI component of FRRouting (FRR) stable/10.0 to stable/10.6 allows authenticated attackers to cause a Denial of Service (DoS) via supplying a crafted UPDATE message. | [email protected] | 6.5 | 0.25% | 2026-05-04 | 2026-05-11 |
| CVE-2026-37457 | An off-by-one out-of-bounds write vulnerability in the bgp_flowspec_op_decode() function (bgpd/bgp_flowspec_util.c) of FRRouting (FRR) stable/10.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted FlowSpec component. | [email protected] | 7.5 | 0.26% | 2026-05-01 | 2026-05-29 |
| CVE-2026-28532 | FRRouting before 10.5.3 contains an integer overflow vulnerability in seven OSPF Traffic Engineering and Segment Routing TLV parser functions where a uint16_t accumulator variable truncates uint32_t values returned by the TLV_SIZE() macro, causing the loop termination condition to fail while pointer advancement continues unchecked. Attackers with an established OSPF adjacency can send a crafted LS Update packet with a malicious Type 10 or Type 11 Opaque LSA to trigger out-of-bounds memory reads | [email protected] | 6.0 | 0.22% | 2026-04-30 | 2026-05-01 |
| CVE-2026-5107 | A vulnerability has been found in FRRouting FRR up to 10.5.1. This affects the function process_type2_route of the file bgpd/bgp_evpn.c of the component EVPN Type-2 Route Handler. The manipulation leads to improper access controls. The attack can be initiated remotely. The attack is considered to have high complexity. The exploitability is reported as difficult. The identifier of the patch is 7676cad65114aa23adde583d91d9d29e2debd045. To fix this issue, it is recommended to deploy a patch. | [email protected] | 2.3 | 0.28% | 2026-03-30 | 2026-04-29 |
| CVE-2025-61107 | FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the show_vty_ext_pref_pref_sid function at ospf_ext.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted LSA Update packet. | [email protected] | 7.5 | 0.52% | 2025-10-28 | 2025-10-31 |
| CVE-2025-61106 | FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the show_vty_ext_pref_pref_sid function at ospf_ext.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted OSPF packet. | [email protected] | 7.5 | 0.52% | 2025-10-28 | 2025-10-31 |
| CVE-2025-61104 | FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the show_vty_unknown_tlv function at ospf_ext.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted OSPF packet. | [email protected] | 7.5 | 0.52% | 2025-10-28 | 2025-10-31 |
| CVE-2025-61103 | FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the show_vty_ext_link_lan_adj_sid function at ospf_ext.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted OSPF packet. | [email protected] | 7.5 | 0.52% | 2025-10-28 | 2025-10-31 |
| CVE-2025-61105 | FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the show_vty_link_info function at ospf_ext.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted OSPF packet. | [email protected] | 7.5 | 0.41% | 2025-10-27 | 2025-11-03 |
| CVE-2025-61102 | FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the show_vty_ext_link_adj_sid function at ospf_ext.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted OSPF packet. | [email protected] | 7.5 | 0.41% | 2025-10-27 | 2025-11-03 |
| CVE-2025-61101 | FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the show_vty_ext_link_rmt_itf_addr function at ospf_ext.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted OSPF packet. | [email protected] | 7.5 | 0.41% | 2025-10-27 | 2025-11-03 |
| CVE-2025-61100 | FRRouting/frr from v2.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the ospf_opaque_lsa_dump function at ospf_opaque.c. This vulnerability allows attackers to cause a Denial of Service (DoS) under specific malformed LSA conditions. | [email protected] | 7.5 | 0.41% | 2025-10-27 | 2025-11-03 |
| CVE-2025-61099 | FRRouting/frr from v2.0 through v10.4.1 was discovered to contain a NULL pointer dereference via the opaque_info_detail function at ospf_opaque.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted LS Update packet. | [email protected] | 7.5 | 0.41% | 2025-10-27 | 2025-11-03 |
| CVE-2024-44070 | An issue was discovered in FRRouting (FRR) through 10.1. bgp_attr_encap in bgpd/bgp_attr.c does not check the actual remaining stream length before taking the TLV value. | [email protected] | 7.5 | 0.64% | 2024-08-19 | 2025-11-04 |
| CVE-2024-34088 | In FRRouting (FRR) through 9.1, it is possible for the get_edge() function in ospf_te.c in the OSPF daemon to return a NULL pointer. In cases where calling functions do not handle the returned NULL value, the OSPF daemon crashes, leading to denial of service. | [email protected] | 7.5 | 0.69% | 2024-04-30 | 2025-05-01 |
| CVE-2024-31951 | In the Opaque LSA Extended Link parser in FRRouting (FRR) through 9.1, there can be a buffer overflow and daemon crash in ospf_te_parse_ext_link for OSPF LSA packets during an attempt to read Segment Routing Adjacency SID subTLVs (lengths are not validated). | [email protected] | 6.5 | 0.54% | 2024-04-07 | 2025-05-01 |
| CVE-2024-31950 | In FRRouting (FRR) through 9.1, there can be a buffer overflow and daemon crash in ospf_te_parse_ri for OSPF LSA packets during an attempt to read Segment Routing subTLVs (their size is not validated). | [email protected] | 6.5 | 0.51% | 2024-04-07 | 2025-05-01 |
| CVE-2024-31949 | In FRRouting (FRR) through 9.1, an infinite loop can occur when receiving a MP/GR capability as a dynamic capability because malformed data results in a pointer not advancing. | [email protected] | 6.5 | 0.70% | 2024-04-07 | 2025-11-04 |
| CVE-2024-31948 | In FRRouting (FRR) through 9.1, an attacker using a malformed Prefix SID attribute in a BGP UPDATE packet can cause the bgpd daemon to crash. | [email protected] | 6.5 | 0.83% | 2024-04-07 | 2025-11-04 |
| CVE-2024-27913 | ospf_te_parse_te in ospfd/ospf_te.c in FRRouting (FRR) through 9.1 allows remote attackers to cause a denial of service (ospfd daemon crash) via a malformed OSPF LSA packet, because of an attempted access to a missing attribute field. | [email protected] | 6.5 | 0.32% | 2024-02-28 | 2025-03-26 |