Cyber Posture

CVE-2026-37459

High

Published: 04 May 2026

Published
04 May 2026
Modified
04 May 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0004 11.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

An integer underflow in FRRouting (FRR) stable/10.0 to stable/10.6 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP UPDATE message.

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

AC-10 Concurrent Session Control
addresses: CWE-400

Limiting concurrent sessions directly prevents uncontrolled resource consumption by capping the number of active sessions per user or account.

AU-6 Audit Record Review, Analysis, and Reporting
addresses: CWE-400

Analysis identifies uncontrolled resource consumption indicative of denial-of-service or abuse attempts.

CP-4 Contingency Plan Testing
addresses: CWE-400

Contingency plan testing includes resource exhaustion scenarios to verify recovery, making it harder for attackers to sustain exploits that cause uncontrolled consumption.

CP-5 Contingency Plan Update
addresses: CWE-400

Updated contingency plans include current procedures to detect, contain, and recover from resource exhaustion, limiting an attacker's ability to sustain impact from uncontrolled consumption.

CP-7 Alternate Processing Site
addresses: CWE-400

Alternate site allows resumption of operations if resource exhaustion at the primary site is exploited to cause unavailability.

CP-8 Telecommunications Services
addresses: CWE-400

Alternate telecommunications services enable resumption of essential functions when primary services become unavailable due to uncontrolled resource consumption.

IR-10 Integrated Information Security Analysis Team
addresses: CWE-400

The team can analyze and respond to resource exhaustion incidents, reducing the impact of attacks that exploit uncontrolled consumption weaknesses.

MA-6 Timely Maintenance
addresses: CWE-400

Timely maintenance support and spare parts enable rapid recovery from failures induced by uncontrolled resource consumption, shortening the impact window of denial-of-service attacks.

Security SummaryAI

CVE-2026-37459 is an integer underflow vulnerability in FRRouting (FRR), affecting stable versions from 10.0 to 10.6. The flaw occurs when processing a crafted BGP UPDATE message, leading to a Denial of Service (DoS) condition. It has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-400 (Uncontrolled Resource Consumption).

Remote attackers with network access to an affected FRR instance can exploit this vulnerability without authentication or user interaction. By sending a specially crafted BGP UPDATE message, they can trigger the integer underflow, causing resource exhaustion or a crash that disrupts BGP routing services and potentially impacts network availability.

The patch is available in FRR commit 693a2e02687cdc9d16501275e05136edea9650d9 on GitHub, which security practitioners should apply to vulnerable versions to mitigate the issue.

Details

CWE(s)
CWE-400

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

Remote unauthenticated exploitation of FRR BGP service via crafted UPDATE message directly enables T1190 (Exploit Public-Facing Application) and results in application DoS via resource exhaustion/crash, matching T1499.004 (Application or System Exploitation).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References