How is CVE-2026-37460 exploited?

Network reachability (required): The attacker must reach the FRR BGP listener over the network; the service must be accessible from the attacker's position to deliver a crafted BGP UPDATE message. Authentication (not-required): No credentials or prior account are needed; the malicious BGP UPDATE message can be sent by any peer or unauthenticated source that can reach the listener. Victim interaction (not-required): No user or administrator action is required; the crash is triggered entirely by the inbound network message without any human interaction. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and repeatable with no dependency on race conditions, memory layout, or other environmental factors.

What is the impact of CVE-2026-37460?

Crashes the FRR routing daemon, halting all BGP route processing on the affected node. Drops all dynamically learned routes, causing forwarding failures for traffic that depends on BGP-distributed paths. Requires a manual or automated service restart to restore routing, creating a window of network unavailability proportional to recovery time.

Back to search

HIGHCVE-2026-37460Published 2026-06-03Modified 2026-06-05CNA mitre

CVE-2026-37460: Missing input validation in the rfapiRibBi2Ri() function (rfapi_rib

Missing input validation in the rfapiRibBi2Ri() function (rfapi_rib.c) of FRRouting (FRR) stable/10.0 to stable/10.6 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP UPDATE message.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Missing input validation in the rfapiRibBi2Ri() function of FRRouting (FRR) allows a remote, unauthenticated attacker to crash the routing daemon by sending a crafted BGP UPDATE message over the network. The flaw affects FRR stable/10.0 through stable/10.6 and is reachable without any prior authentication or user interaction. Successful exploitation disrupts routing services, causing a denial of service for all traffic dependent on the affected FRR instance. No fix version has been published yet; HarborGuard tracks the upstream advisory and will make a patched-image rebuild available as soon as a fix is released.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle FRR binaries directly. Any image found running FRR stable/10.0 through stable/10.6 is flagged automatically.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 7.5 (HIGH) and weighting that score against each environment's compliance policy to determine urgency. Triage findings are routable to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no upstream fix version exists for this CVE, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream FRR project publishes a correction. In the meantime, compensating-control recommendations (described below) are surfaced in the triage findings for affected images.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the FRR BGP listener over the network; the service must be accessible from the attacker's position to deliver a crafted BGP UPDATE message.
AuthenticationNot required
No credentials or prior account are needed; the malicious BGP UPDATE message can be sent by any peer or unauthenticated source that can reach the listener.
Victim interactionNot required
No user or administrator action is required; the crash is triggered entirely by the inbound network message without any human interaction.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and repeatable with no dependency on race conditions, memory layout, or other environmental factors.

Blast Radius

Crashes the FRR routing daemon, halting all BGP route processing on the affected node.
Drops all dynamically learned routes, causing forwarding failures for traffic that depends on BGP-distributed paths.
Requires a manual or automated service restart to restore routing, creating a window of network unavailability proportional to recovery time.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-37460, HarborGuard continuously re-evaluates the advisory on every ingest cycle and will automatically make a patched-image rebuild available the moment FRR publishes a correction. For customers with auto-remediation enabled, that rebuild will trigger a regression test run and open a PR against affected workloads without manual intervention. While waiting for an upstream patch, HarborGuard surfaces compensating-control suggestions in the triage findings for affected images, including network-policy isolation to restrict which peers can initiate BGP sessions to FRR instances, egress filtering to reduce the attack surface to known peer addresses, and disabling the RFAPI/VNC feature flag in FRR configuration if that capability is not operationally required. Customers whose compliance policy flags HIGH-severity CVEs for immediate escalation will see this issue routed to the appropriate team inbox automatically.

See how HarborGuard automates this

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Metrics

Get notified