{
  "threat_severity" : "Moderate",
  "public_date" : "2026-04-30T20:17:51Z",
  "bugzilla" : {
    "description" : "FRRouting: frr: FRRouting: Denial of Service due to integer overflow in OSPF TLV parser functions",
    "id" : "2464230",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2464230"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-190",
  "details" : [ "FRRouting before 10.5.3 contains an integer overflow vulnerability in seven OSPF Traffic Engineering and Segment Routing TLV parser functions where a uint16_t accumulator variable truncates uint32_t values returned by the TLV_SIZE() macro, causing the loop termination condition to fail while pointer advancement continues unchecked. Attackers with an established OSPF adjacency can send a crafted LS Update packet with a malicious Type 10 or Type 11 Opaque LSA to trigger out-of-bounds memory reads and crash all affected routers in the OSPF area or autonomous system.", "A flaw was found in FRRouting. An integer overflow vulnerability exists in several OSPF Traffic Engineering and Segment Routing TLV parser functions. An attacker with an established OSPF (Open Shortest Path Path First) adjacency can send a specially crafted LS (Link State) Update packet containing a malicious Type 10 or Type 11 Opaque LSA (Link State Advertisement). This can trigger out-of-bounds memory reads, leading to a Denial of Service (DoS) by crashing all affected routers within the OSPF area or autonomous system." ],
  "statement" : "Moderate impact. This flaw in FRRouting's OSPF TLV parser functions can lead to a denial of service. An attacker with an established OSPF adjacency can send a specially crafted packet, triggering out-of-bounds memory reads and crashing routers within the OSPF area or autonomous system. Exploitation requires network proximity and an active OSPF peering relationship.",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "frr",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "frr",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "frr",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "frr10",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-28532\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-28532\nhttps://github.com/FRRouting/frr/commit/f098decf02987fbf1c891766c1516ac832adadfd\nhttps://github.com/FRRouting/frr/pull/21002\nhttps://github.com/FRRouting/frr/releases/tag/frr-10.5.3\nhttps://www.vulncheck.com/advisories/frrouting-integer-overflow-in-ospf-tlv-parser-functions" ],
  "name" : "CVE-2026-28532",
  "csaw" : false
}