CVE-2026-28532

Name of the Vulnerable Software and Affected Versions FRRouting versions prior to 10.5.3

Description An integer overflow exists in seven OSPF Traffic Engineering and Segment Routing TLV parser functions. A uint16 t accumulator variable truncates uint32 t values returned by the TLV SIZE() macro, which causes the loop termination condition to fail while pointer advancement continues unchecked. Attackers with an established OSPF adjacency can send a crafted LS Update packet containing a malicious Type 10 or Type 11 Opaque LSA to trigger out-of-bounds memory reads, resulting in a crash of all affected routers within the OSPF area or autonomous system.

Recommendations Update to version 10.5.3.