[From nobody Tue Jun 2 20:11:24 2026 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Received: from GV2PR05MB12811.eurprd05.prod.outlook.com (2603:10a6:150:356::15) by DB9PR05MB10166.eurprd05.prod.outlook.com with HTTPS; Tue, 2 Jun 2026 02:34:57 +0000 Received: from CWLP265CA0380.GBRP265.PROD.OUTLOOK.COM (2603:10a6:401:5e::32) by GV2PR05MB12811.eurprd05.prod.outlook.com (2603:10a6:150:356::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.71.16; Tue, 2 Jun 2026 02:34:38 +0000 Received: from AM3PEPF0000A79A.eurprd04.prod.outlook.com (2603:10a6:401:5e:cafe::f0) by CWLP265CA0380.outlook.office365.com (2603:10a6:401:5e::32) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.21.71.17 via Frontend Transport; Tue, 2 Jun 2026 02:34:38 +0000 Authentication-Results: spf=pass (sender IP is 193.110.157.125) smtp.mailfrom=lists.openwall.com; dkim=fail (signature did not verify) header.d=gmail.com; dmarc=fail action=none header.from=gmail.com; compauth=none reason=460 Received-SPF: Pass (protection.outlook.com: domain of lists.openwall.com designates 193.110.157.125 as permitted sender) receiver=protection.outlook.com; client-ip=193.110.157.125; helo=second.openwall.net; pr=C Received: from exseed.ed.ac.uk (129.215.235.39) by AM3PEPF0000A79A.mail.protection.outlook.com (10.167.16.105) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.92.5 via Frontend Transport; Tue, 2 Jun 2026 02:34:38 +0000 Received: from hbdkb3.is.ed.ac.uk (129.215.235.37) by hbdkb4.is.ed.ac.uk (129.215.235.39) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.37; Tue, 2 Jun 2026 03:34:37 +0100 Received: from tay.is.ed.ac.uk (129.215.16.28) by hbdkb3.is.ed.ac.uk (129.215.235.37) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.37 via Frontend Transport; Tue, 2 Jun 2026 03:34:37 +0100 Received: from second.openwall.net (second.openwall.net [193.110.157.125]) by tay.is.ed.ac.uk (8.15.2/8.15.2) with SMTP id 6522YRU81849364 for <Bruce.Duncan@ed.ac.uk>; Tue, 2 Jun 2026 03:34:32 +0100 Received: (qmail 3082 invoked by uid 550); 2 Jun 2026 02:32:36 -0000 Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: <mailto:oss-security@lists.openwall.com> List-Help: <mailto:oss-security-help@lists.openwall.com> List-Unsubscribe: <mailto:oss-security-unsubscribe@lists.openwall.com> List-Subscribe: <mailto:oss-security-subscribe@lists.openwall.com> List-ID: <oss-security.lists.openwall.com> Reply-To: <oss-security@lists.openwall.com> x-ms-reactions: disallow Delivered-To: mailing list oss-security@lists.openwall.com Delivered-To: moderator for oss-security@lists.openwall.com Received: (qmail 5404 invoked from network); 2 Jun 2026 02:07:49 -0000 ARC-Seal: i=1; a=rsa-sha256; t=1780366061; cv=none; d=google.com; s=arc-20240605; b=QZAWgQlj+CEpqHPwcaVTn46YrFUnCIJVk8l+iwaSN96yaOnzY62Pte7GyPkR2oIUHf 3H6w5y5zhwwPzzd2uNdYB3CRfLvUUbwvMw3IxUj5CdUfgThtc1KxoY4bAknrMEJuNTQ6 XiYV2/o8fTbPXz96B0dO0qd+VEoPY0k14xbFe1vCgXQAAP6qqrI207yQYN5R8io13TrK gjzRiAfhLtE8ulkdGISQsk3zafGCutusFAq5SVmkhdJEaXX7C2ajS0H4yIabZ9wqGIqT pqA/nihl0Vv6hadbROAA3RAobooMPqsVQYWCqXYx0ZLGCYzdrNxKC4kA1LV7pSKSSUlX P9+w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=to:subject:message-id:date:from:mime-version:dkim-signature; bh=jt2LZm0PooC4LAESsvLVYBRpo2bsthQLNN+dMIi4wx0=; fh=9jsPTyo6edd9xvAeG+KFFrRrXMmgB/RdwUKOrvy9dcA=; b=EvgsuL1lexKbLeMdOestvIEmvp9YDSfAISi/G3LlWKJTBWb7QUR/k8oWmSYYCjLLIE GBRcqsDAT3JXhE/67wnYHLBPcul1OVJ8WWlctmh6HEn/sYTIyrlq/WEBdKcXUane1bP1 /aNZxw8peSvYioARleBgtRg0v0vGqJSZlkZNtrDcPpEkkyDya8ULZXkGcHCTehcnoIr5 KfIk+++J2HtR1V7x/UfxqRGQRbf66ssOey2h5OrZyG24lFdjDgcxQZOi6iRBXtJHiCuO x4WUfaaEbTlwWUhaL0tS1hq/mg+QH1y7RhEwrxqPE6V/5iXTOIm3DZlqgmeziyk8ET6s Cy/A==; darn=lists.openwall.com ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780366061; x=1780970861; darn=lists.openwall.com; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=jt2LZm0PooC4LAESsvLVYBRpo2bsthQLNN+dMIi4wx0=; b=q3DJLq3isIrNojlnZJfYeUr+9Hbm73cDpc7E8nQRI1NIJNyU101pBQn+3qbqxkxG/d SJ3bUwhtPLh2MTgPLQn7dHOBEkdu3326bLY8AyT6oMd7Ia4IbHbZfor7sw/wOVE2S84F cDKYoFhKDq15U59CWQu5TrnrZbmgLzS7p2Jj1uh/F2cki3UxkYNXcoRv9gTRlL105qwg 1AUz2s98jELaem3Sd10nGSeEdsoW46EJ2mNvDwmCJSW3kltAHj2Ky9kGBFBbS8j9SJuP Aryb8JA2kzWJHqIsAx4ZRwI/RQ8/i7cQuQTIi0aupaKppM9fSQ5TBC1DAiKmXUEtqABE wv7g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780366061; x=1780970861; h=to:subject:message-id:date:from:mime-version:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=jt2LZm0PooC4LAESsvLVYBRpo2bsthQLNN+dMIi4wx0=; b=XoXK6NCQKg/9PEMVjK8exfcu4zGRJC/n3GuwWI79yAkxinWxv7HEWK/cWE7W/7C4Ii 3srIF3e/dgFAyijUYWpjDaDu0Mvl9DCznVchYk+7JT6C3uexCnZFQcz6/Sc2hlqbAgID e2jiI81w1oA1duTT77IOuN/cjCTPJxeDtupxz73UsnOr8UBi6XBmUUucG/htGGK18q97 8lbmKH6seT03tY9OdT4/WbS4pIQe+e1BmnOGyZ/2TW7p8BrFxDZhiW7pjHM8hgegjwhj tbwkqQ+46TD0O8i+5igRz9aymHuuOy+tlLNiafQdUTXoLiM33fkrFQw1U+WVXVd7aNdH RCNQ== X-Gm-Message-State: AOJu0Yz0/yRDKeAsxzbgklhcXDFrCT5F1Pqbk4I9T4CS/kkKgJdoYAqB G2QnmJKBGH2bdKI8rCN6CWJ/C3GNCuHbcVSw3/C97dpmwDzgBSgPH5zrDlio/Q+CJmC+xK7lRUU y7RMy04Gm0LR1DL/+leE8BZbhhEetcxWrU4exw79dOXoK X-Gm-Gg: Acq92OGvMcXN/hJ2B7O+rQrBRmMWYJGuoxAQrEYjF7kt1ef8EFAqZPyRLnWxRv64y// 8TsgPaWjWUcU7tGb5f6+DF3iuXNTLIBUd43gn5r7rBZaC60KJ5yURqKkigQOlLoZYGHi5UQfUQw A105Gl96dMRVgeHF1GZw6Jswvs/+KSCr5ROVC0ezpbB5Zi5vPxE2VInk8diCFMd6OFwVu3Z2nUm bCDm0Z5yJT3pl6yezQ9XwTL5ku/NRbq24S1NBm1BpqveUe39sjJcxle4jRn3lrY00/3BdzevtP5 zcjCRIEJuXSHaxAXRc+Dze3sgBAfNz1LStdBuJAAL2bGZf0C/QQ= X-Received: by 2002:a05:6808:c2b3:b0:485:290e:8ba1 with SMTP id 5614622812f47-485fb1871eamr7888760b6e.8.1780366060615; Mon, 01 Jun 2026 19:07:40 -0700 (PDT) From: Bakabaka_9 <qilunuobakabaka9@gmail.com> Date: Tue, 2 Jun 2026 10:07:29 +0800 X-Gm-Features: AVHnY4KoE0uXXQADjNhSM3p0zQqxoO5Ikgpe8st7fXpOwEAcdpqxuPHtbFmazaU Message-ID: <CA+W5nyiFPweL5LDEKpUSJAo8NhKQz53o=d=9HBdHipQ7d0N3Mw@mail.gmail.com> To: <oss-security@lists.openwall.com> Content-Type: multipart/alternative; boundary="0000000000009cfb2406533bc69b" Subject: [oss-security] BIRD/BIRD2: stack buffer overflow in BGP AS_PATH mask matching, CVE pending X-Spam-Score: 0 X-Spam-Level: X-Spam-Status: hits=0 tests=DKIM_ADSP_CUSTOM_MED, DKIM_INVALID, DKIM_SIGNED, FREEMAIL_FORGED_FROMDOMAIN, FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS version=3.4.0 X-Edinburgh-Scanned: at tay.is.ed.ac.uk Return-Path: oss-security-return-33083-Bruce.Duncan=ed.ac.uk@lists.openwall.com X-OrganizationHeadersPreserved: hbdkb4.is.ed.ac.uk X-MS-Exchange-Organization-ExpirationStartTime: 02 Jun 2026 02:34:38.3406 (UTC) X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit X-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000 X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit X-MS-Exchange-Organization-Network-Message-Id: fc76abba-3934-4d04-6eba-08dec04f7e14 X-EOPAttributedMessage: 0 X-MS-Exchange-Organization-MessageDirectionality: Originating X-MS-Exchange-SkipListedInternetSender: ip=[193.110.157.125]; domain=second.openwall.net X-MS-Exchange-ExternalOriginalInternetSender: ip=[193.110.157.125]; domain=second.openwall.net X-CrossPremisesHeadersPromoted: AM3PEPF0000A79A.eurprd04.prod.outlook.com X-CrossPremisesHeadersFiltered: AM3PEPF0000A79A.eurprd04.prod.outlook.com X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AM3PEPF0000A79A:EE_|GV2PR05MB12811:EE_|DB9PR05MB10166:EE_ X-MS-Exchange-Organization-AuthSource: hbdkb3.is.ed.ac.uk X-MS-Exchange-Organization-AuthAs: Anonymous X-OriginatorOrg: uoe.onmicrosoft.com X-MS-Office365-Filtering-Correlation-Id: fc76abba-3934-4d04-6eba-08dec04f7e14 X-MS-Exchange-AtpMessageProperties: SA|SL X-MS-Exchange-Organization-SCL: 1 X-Microsoft-Antispam: BCL:0; ARA:13230040|4022899009|82310400026|7093399015|55112099003|13003099007|3113699003|5113699003|16102099003|18002099003|21082099003|5063699009|56012099006|11063799006|6133799003; X-Forefront-Antispam-Report: CIP:129.215.235.39; CTRY:NL; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:second.openwall.net; PTR:second.openwall.net; CAT:NONE; SFTY:9.25; SFS:(13230040)(4022899009)(82310400026)(7093399015)(55112099003)(13003099007)(3113699003)(5113699003)(16102099003)(18002099003)(21082099003)(5063699009)(56012099006)(11063799006)(6133799003); DIR:INB; SFTY:9.25; X-MS-Exchange-CrossTenant-OriginalArrivalTime: 02 Jun 2026 02:34:38.2880 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: fc76abba-3934-4d04-6eba-08dec04f7e14 X-MS-Exchange-CrossTenant-Id: 2e9f06b0-1669-4589-8789-10a06934dc61 X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=2e9f06b0-1669-4589-8789-10a06934dc61; Ip=[129.215.235.39]; Helo=[exseed.ed.ac.uk] X-MS-Exchange-CrossTenant-AuthSource: hbdkb3.is.ed.ac.uk X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: GV2PR05MB12811 X-MS-Exchange-Transport-EndToEndLatency: 00:00:19.4609369 X-MS-Exchange-Processed-By-BccFoldering: 15.21.0071.000 X-Microsoft-Antispam-Mailbox-Delivery: ucf:1; jmr:0; auth:0; dest:C; OFR:CustomRules; ENG:(910005)(944506478)(944626604)(4710137)(4712097)(4999163)(920097)(930201)(20251009189)(140003)(1420198); X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?fmZDtLmcHHTWE3EoiQkTzddMyDCenhqk6o0f96IiuOafwiEWOb8r0KgJLdzp?= =?us-ascii?Q?oaPprRVQghFfe2FgK4upCnhVkmrJgPBMtRqPgz8IhGaXH69J1Tspj4aYcZtV?= =?us-ascii?Q?DPtW4OKpwztUP2EL5EjSs2wODyAUs4bdMIEJRa38wK57kJOLiSuDigMfUSQz?= =?us-ascii?Q?FjJeJ+Cmyv+bKhSDii2F0LwtDCatuRbfZlLlfk6WVBB37NHVfL/AY5nPYH3j?= =?us-ascii?Q?eBhjVwhzXvPYbdQz51jEzULFVpR7QTQ1tW3O7TS2EjPEnOYUgdzW1jmoD4YG?= =?us-ascii?Q?OPx+Rx8jhlC9s/B0HmCsq2ix/IO/GZzkbuaZYWEuL0fFbNM/FLa3tp53eM5X?= =?us-ascii?Q?xBEFzrk9233Qr1pf7Mljf9HmTQfrwbkf0dfLKJiAp2C4z7Vc3hODMPiAHzQ9?= =?us-ascii?Q?w3bf737y+AjbD9KWkW5p7oCr0h/+RV1RzouXLZDXuRwwdtXnGNaqlN9fUYj/?= =?us-ascii?Q?//a7hupJ0rcIvBq/LFb0490v7jL83foT/Xj0Qanyj3K8UAaJrlf4BE1RXkDW?= =?us-ascii?Q?Zir3wgyPyq7qa5Gq8ho51DP44FH+Wlhns+ZVLmuB3JfbIn6R88Ch1aknf4eP?= =?us-ascii?Q?qlqZLQirjjJ24dL/KxW5+I3eY7HAxexu2cWqLjiQuRXDXetGSTupbQD28EBb?= =?us-ascii?Q?sNWLEknWQX/4a7HVI+ndUSLh6YoZ6/JFLdJ8Iy1c5bp7n9CZvHls1EUz8pM7?= =?us-ascii?Q?3WVPtUhziB5+imSiI85sEZ2ue889JWm4XSSx8AosuDpF7ZiCVMZNRHIAmL2E?= =?us-ascii?Q?jV85hMrrKK3zTr2hgiTyYlMFSSOEp1PBEKKJIlafHROIhzjuIOIwRYN+xv0O?= =?us-ascii?Q?e+e+5d4gbGrax0fKEEg3jmHVNvwHQLTsEENzoAa9iguK5PTLvF2m82BHlpw5?= =?us-ascii?Q?D3bLA94zPRlN9EqPqXUz+ZFLRfkRE7jsG6qKR2UI5VMIzXOOBDeRH2jgTzoW?= =?us-ascii?Q?MJSaCqrCa7AB3c+Q0+sLHRuezk3lenEjKklVolNkq9LXL/ahplqRVEuRV61/?= =?us-ascii?Q?SouLrN9Shx+Zx+PCbeJLn2t2LUim8qHGOaaJwf30RoHPF2gNQmQe18TPd9Kj?= =?us-ascii?Q?7k42GOlHzXsX6TOrhw5T8ifUGrdoS4uMOBsxQ+7rmhzdeHk5Z838a6ZA//jc?= =?us-ascii?Q?QW60dMZHDnGEJPqttGberIH+y3jrhRslOcq/MsElvt/fEQun/E2Sv8LVHkjp?= =?us-ascii?Q?Intuw0Mks2O4cLAK7UCZXQWLdmCgz28rnP4iDfQOUt+GHvGkcV3ichYjpDRF?= =?us-ascii?Q?vaWZMFCWXpU++IS8+H4AecgylaRIAoPOdQU73r885Ms/frqzK5ci6nGwm6sp?= =?us-ascii?Q?QG902xPDSxvO/wD3Udi23lprNUSauiA+wA9WbyYx1NlOAje8kNCYCiUMCVVX?= =?us-ascii?Q?UPNNrzrOIFW0/3AG/lL0nytDsldaT7PrI9ypmAewlTwPNup9iCBT740bmd9Y?= =?us-ascii?Q?/a2s702syE7jWNNWGeOhbnJQZcDAsJX9QOUJoKFk04efiw9PUAR+CN9Vew9J?= =?us-ascii?Q?YZCiR2PtGxOd4R3kAvdPRkfUGsBh15w/aTQMHsf9F6PabtTCGxX3WYiZI0eS?= =?us-ascii?Q?Va5AS3XhT1OGlMKq9scuSyYna+VLmM99DzlALNMXwKyGnQdV5T8rKPTNhK+Q?= =?us-ascii?Q?1IV4UOMKB412h7nOdodXCu2FJ/7WKpYFSnmoAM7kbhYij2/om/EhUvRETP/X?= =?us-ascii?Q?SdJnSJDOHJJekY+tiXqBCenF9pLWWakIPgLjhgUUy+Jfb1k7Ro3ss3F4ptwX?= =?us-ascii?Q?0bA+HP5zQZkuj+aoIF/230LE6vne9YBZRfKeH9+0scNHHnB9+6LtqmNq/HY1?= =?us-ascii?Q?MGmu0Hc3uibioNNP5Uob4MaRazKCcrT0e+uWYQCWISfx9MSUQ7O4ZchWKQyE?= =?us-ascii?Q?c+QmiNMe6Il/35OdEKCqEuW4lVHlVv7xxs+Vd8ZXH6soXsv39nQWqAhkUEWB?= =?us-ascii?Q?85JCOJ0OrgF42OYzmZUmAB8wxEVhxD5c02roi9jmbT2dBxbqdyDTW1y/bA6t?= =?us-ascii?Q?ZPR/Apcwqc88bd7/GT47xTNXUK00lm7MU/vHfgHzDqAZjEsLHblz7dYQ7OS2?= =?us-ascii?Q?q676qqjtkiuMG/X6J2liJn4NEYLipihsTON8HWD2JrRUklHtgJG1mHz0f84Q?= =?us-ascii?Q?01TmoINmD//fL9SPM2LetRr/nLki8IX5f4dykUHbvJQTUM5c5yNo0UI4mm4X?= =?us-ascii?Q?QTVlMDo1eTaH1z+Bgjgdm3PDg2po8NXtfGQwQFMgyqnhN0Ln8WU7TvX3IkFm?= =?us-ascii?Q?FnZhZvB4yQQcnj06jr80Harxg2KkXsfYxYfOKXhSDt9DBGa4NX2Zm3QzsU0z?= =?us-ascii?Q?TNaa3uGjLziv8sWbidYIbs5wgFlT+ctxUqHEWx3qp9wWyXWFCVbu/81MOIAV?= =?us-ascii?Q?Q+XEY9vnE5tiAMcxTPLcbKVkctCo0pqy4r7kw7eCWUA6Om/oAnvhzv33UK8F?= =?us-ascii?Q?fqY+TCFWLXfEFayGi3pMl4vsAUwuHySzMJUKX4YejS3wDarSixe6adwXg+Of?= =?us-ascii?Q?sN4VzTm0dSKupEY06BGnmxqLc9y+nsQdykv8dYBTk2JbaX5kcCz0NQgkuQnI?= =?us-ascii?Q?u3Xvyb84aU1GDvHQFCSbtV189fc50sv0oQzuDvGanEPt2W2c1BW7xyE5aKJm?= =?us-ascii?Q?CNm8escnviB35okafmwK83PBObKDokmbZ1rym/P7ZLguzZonz8/3YO5ZxObr?= =?us-ascii?Q?zTYdHGeUtkk1TuKFy60DqukpoUE8N6EYPbPtsTawAaoA9JdSaJYaykPxu1dN?= =?us-ascii?Q?Ft95EWZuPj/IBth36CWx8IR30QY7VoCrej+qng1V6uwhvdpmFgBRtkd1OELs?= =?us-ascii?Q?NXqbUTyXSd1oaZBBvxh5lxZYAtMWrI8fObfLq0jVSgTCas0w40OazuN4nn1U?= =?us-ascii?Q?6lm25uAPUdWBNeGmBLpqJGYYTczdOIQd1oDhtXWOxx3EiBgsDiFpii/SpRL6?= =?us-ascii?Q?+ERuhDX8j8G2BogS/0K+f8XPBnHPVdiJeOLe0k1D/LapaYPdS9KG0vXUkVBY?= =?us-ascii?Q?Huyf94NwlcP9qdqd9uNuMQeieVig+eVFZOXs3g3G5X1vbJZ5CQhpKUS1bdpH?= =?us-ascii?Q?YWvglGEB?= MIME-Version: 1.0 --0000000000009cfb2406533bc69b Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable [You don't often get email from qilunuobakabaka9@gmail.com. Learn why this = is important at https://aka.ms/LearnAboutSenderIdentification ] Hi oss-security, I would like to disclose a vulnerability in BIRD 2.x's BGP AS_PATH mask matching code. Summary =3D=3D=3D=3D=3D=3D=3D BIRD 2.x can crash when evaluating a crafted BGP AS_PATH with an AS path mask filter, for example a filter using syntax similar to: bgp_path ~ [=3D ... =3D] The issue is triggered during AS_PATH mask matching, involving the path expansion and matching logic used by as_path_match(). A sufficiently large or specially crafted AS_PATH can exceed a fixed-size stack buffer used during matching. The confirmed impact is denial of service of the BIRD daemon. Memory corruption was observed under AddressSanitizer. Code execution has not been demonstrated. Affected versions =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Tested affected: - BIRD 2.16.2 Possibly affected: - Other BIRD 2.x versions using the same AS_PATH mask matching implementation. Not affected: - Unknown. Fixed version =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D No fixed version is available at the time of this disclosure. CVE =3D=3D=3D A CVE ID was requested from MITRE on 2026-05-28, but no CVE ID has been assigned yet. Impact =3D=3D=3D=3D=3D=3D A malicious or compromised BGP peer can send a crafted AS_PATH that is accepted by BIRD and later evaluated by a local AS path mask filter. When the crafted AS_PATH is evaluated by the path mask matching logic, BIRD may overflow a stack buffer and crash. This causes denial of service of the routing daemon, BGP session resets, and possible route withdrawal or route instability depending on the deployment. The confirmed impact is remote peer-triggered denial of service. Memory corruption was observed under ASan. Remote code execution has not been demonstrated. Attack requirements =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D The following conditions are required to trigger the issue: - The attacker must be able to establish a BGP session with the target BIRD instance, or otherwise send accepted BGP UPDATE messages as a configured or trusted peer. - The target configuration must evaluate the received AS_PATH with an AS path mask, for example by using a filter expression such as: bgp_path ~ [=3D ... =3D] - The issue is easier to trigger when BGP Extended Messages are enabled, because larger UPDATE messages allow larger path attributes. - Confederation AS_PATH segments may make simple length-based mitigations unreliable, depending on how the local filter checks AS_PATH length before path mask evaluation. This is not known to be directly exploitable by an unauthenticated Internet host unless that host can become an accepted BGP peer. Technical details =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D The vulnerable code path is in the AS_PATH mask matching logic. During matching, BIRD expands or processes AS_PATH data for comparison against an AS path mask. The matching logic uses a fixed-size stack buffer, but the effective expanded path representation can exceed that buffer for large or specially crafted AS_PATH attributes. In a local test environment, a crafted AS_PATH received from a BGP peer and evaluated by a filter using AS path mask matching caused an AddressSanitizer-detected stack buffer overflow and terminated the BIRD process. The reproducer used a local lab with two BIRD instances configured as BGP peers. A full weaponized reproducer, raw BGP UPDATE payload, and packet capture are not included in this initial disclosure. Mitigation =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Until an upstream fix is available, operators should consider the following mitigations: - Avoid applying AS path mask matching to routes received from untrusted or semi-trusted BGP peers. - Avoid using filters such as: bgp_path ~ [=3D ... =3D] on untrusted input unless AS_PATH size and structure are strictly bounded before evaluation. - Do not enable BGP Extended Messages for untrusted peers unless they are required. - Reject unusually large AS_PATH attributes before any AS path mask matching is performed. - Be careful with simple bgp_path.len based checks, as confederation AS_PATH segments may not be accounted for in the same way as they are expanded or processed during matching. - Restrict BGP sessions to trusted peers. - Use TCP MD5, TCP-AO, GTSM/TTL security, strict prefix/AS_PATH policy, and session-level filtering where applicable. - Monitor for unexpected bird/bird2 crashes and BGP session resets. - Run BIRD under systemd hardening and automatic restart policies as a defense-in-depth measure. Upstream status =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D The issue was reported to CZ.NIC on 2026-05-02. On 2026-05-24, CZ.NIC stated that they do not currently plan to fix the issue. No fixed release is available at the time of this disclosure. Timeline =3D=3D=3D=3D=3D=3D=3D=3D 2026-05-02: Vulnerability discovered. 2026-05-02: Reported to CZ.NIC. 2026-05-03: CZ.NIC acknowledged the report. 2026-05-24: CZ.NIC stated that they do not currently plan to fix the issue. 2026-05-28: CVE requested from MITRE. 2026-06-02: Public disclosure on oss-security. References =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D - BIRD project: https://eur02.safelinks.protection.outlook.com/?url=3Dhttps= %3A%2F%2Fbird.network.cz%2F&data=3D05%7C02%7C%7Cfc76abba39344d046eba08dec04= f7e14%7C2e9f06b016694589878910a06934dc61%7C0%7C0%7C639159644978968714%7CUnk= nown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4z= MiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C60000%7C%7C%7C&sdata=3DvGV8TQLAMqx4l= gP3OyNKj8a4JeNMrAf1OhMcqMyOuMI%3D&reserved=3D0 - Upstream report: private report to CZ.NIC, not publicly available - Proposed patch: not available - CVE request: pending Credits =3D=3D=3D=3D=3D=3D=3D Discovered by Bakabaka_9. --0000000000009cfb2406533bc69b-- ]