{"id":"CVE-2026-28532","summary":"FRRouting \u003c 10.5.3 Integer Overflow in OSPF TLV Parser Functions","details":"FRRouting before 10.5.3 contains an integer overflow vulnerability in seven OSPF Traffic Engineering and Segment Routing TLV parser functions where a uint16_t accumulator variable truncates uint32_t values returned by the TLV_SIZE() macro, causing the loop termination condition to fail while pointer advancement continues unchecked. Attackers with an established OSPF adjacency can send a crafted LS Update packet with a malicious Type 10 or Type 11 Opaque LSA to trigger out-of-bounds memory reads and crash all affected routers in the OSPF area or autonomous system.","modified":"2026-06-09T18:29:47.845936539Z","published":"2026-04-30T20:17:51.060Z","related":["SUSE-SU-2026:22026-1","openSUSE-SU-2026:10721-1","openSUSE-SU-2026:20898-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28532.json","cna_assigner":"VulnCheck","cwe_ids":["CWE-125","CWE-190"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28532.json"},{"type":"ADVISORY","url":"https://github.com/FRRouting/frr/releases/tag/frr-10.5.3"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28532"},{"type":"ADVISORY","url":"https://www.vulncheck.com/advisories/frrouting-integer-overflow-in-ospf-tlv-parser-functions"},{"type":"REPORT","url":"https://github.com/FRRouting/frr/pull/21002"},{"type":"FIX","url":"https://github.com/FRRouting/frr/commit/f098decf02987fbf1c891766c1516ac832adadfd"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/frrouting/frr","events":[{"introduced":"0"},{"fixed":"cd39d029a48a1e58929a7f31e7d61a594c2ecb42"}]}],"versions":["frr-10.5.2","docker/10.5.2","frr-10.5.1","docker/10.5.1","frr-10.5.0","base_10.5","frr-10.5-dev","base_10.4","base_10.3","frr-10.4-dev","frr-10.3-dev","base_10.2","frr-10.2-dev","base_10.1","frr-10.0-dev","base_10.0","frr-9.2-dev","base_9.1","base_9.0","frr-9.1-dev","base_8.5","frr-9.0-dev","frr-8.4-rc","base_8.4","frr-8.5-dev","base_8.3","frr-8.4-dev","base_8.2","frr-8.3-dev","frr-8.1-rc1","base_8.1","frr-8.2-dev","8.1-dev","frr-8.1-dev","base_8.0","base_7.6","frr-8.0-dev","frr-7.6-dev","base_7.5","base_7.4","frr-7.5-dev","base_7.3","frr-7.4-dev","base_7.2","frr-7.3-dev","frr-7.2-dev","7.1_pulled","frr-7.1-dev","frr-6.1-dev","frr-5.1-dev","reindent-master-after","reindent-master-before","frr-3.1-dev","frr-3.0-branchpoint"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-28532.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"}]}