CVE-2026-48689

FastNetMon Community Edition through 1.2.9 contains an off-by-one heap-based buffer overflow in the dynamicbinarybuffert class (src/dynamicbinarybuffer.hpp). Five methods (appenddynamicbuffer, appenddataaspointer, appenddataasobjectptr, memcpyfromptr, memcpyfromobjectptr) use an incorrect bounds check of the form 'if (offset + length > maximuminternalstoragesize + 1)' instead of the correct 'if (offset + length > maximuminternalstoragesize)'. This allows writing exactly one byte past the end of the heap-allocated buffer. The class is used pervasively in BGP message encoding/decoding, NetFlow template processing, and Flow Spec NLRI construction. An attacker who can send network traffic (NetFlow, sFlow, IPFIX, or BGP) to a FastNetMon instance can trigger this overflow, potentially achieving arbitrary code execution by corrupting heap metadata. Notably, the appendbyte() method uses the correct bounds check, confirming the inconsistency.