First published: Tue Aug 02 2022(Updated: )
An issue was discovered in bgpd in FRRouting (FRR) 8.3. In bgp_notify_send_with_data() and bgp_process_packet() in bgp_packet.c, there is a possible use-after-free due to a race condition. This could lead to Remote Code Execution or Information Disclosure by sending crafted BGP packets. User interaction is not needed for exploitation.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Frrouting Frrouting | =8.3 | |
debian/frr | <=7.5.1-1.1+deb11u2 | 7.5.1-1.1+deb11u3 8.4.4-1.1~deb12u1 10.1.1-0.1 10.2-2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2022-37035 is high (8.1).
The affected software for CVE-2022-37035 includes FRRouting (FRR) version 8.3.
CVE-2022-37035 can be exploited by sending crafted BGP packets, which may lead to Remote Code Execution or Information Disclosure.
Yes, a fix for CVE-2022-37035 is available in FRRouting version 8.4.4-1.1 or later.
More information about CVE-2022-37035 can be found in the references provided: [link1], [link2], [link3].