FRRouting < 10.5.3 Integer Overflow in OSPF TLV Parser Exposes Routing Infrastructure to Memory Corruption

A critical integer overflow vulnerability in FRRouting versions prior to 10.5.3 introduces a severe memory corruption risk in OSPF routing infrastructure. The flaw stems from how seven OSPF Traffic Engineering and Segment Routing TLV parser functions handle size calculations. When a uint16_t accumulator variable encounters uint32_t values returned by the TLV_SIZE() macro, the larger value gets truncated. This causes the loop termination condition to fail while pointer advancement proceeds unchecked, creating a condition where the parser reads beyond allocated memory boundaries.

Attackers with established OSPF adjacencies can exploit this by injecting crafted Type 10 or Type 11 Opaque LSA packets through LS Update messages. This can trigger out-of-bounds memory reads, potentially crashing all vulnerable routers within the affected OSPF area or autonomous system. The vulnerability is particularly dangerous because it requires an existing adjacency—an attacker must already be a legitimate participant in the routing domain. The issue is tracked as CVE-2026-28532 and has been documented in the Nixpkgs security tracker as NIXPKGS-2026-1350.

The vulnerability was addressed in FRRouting 10.5.3. The official patch is available in commit f098decf02987fbf1c891766c1516ac832adadfd on the FRRouting GitHub repository. Organizations running FRRouting in OSPF-capable deployments should update immediately and review OSPF adjacency controls to ensure only trusted routers can participate in routing exchanges. The exposure is significant for any network relying on OSPF with FRRouting implementations.