DEBIAN-CVE-2026-48686

FastNetMon Community Edition through 1.2.9 contains a stack-based buffer overflow in the BGP NLRI (Network Layer Reachability Information) decoder. The function decodebgpsubnetencodingipv4raw() in src/bgpprotocol.cpp reads prefixbitlength directly from the BGP packet (line 99) without validating it is <= 32 for IPv4 prefixes. This value is passed to howmuchbytesweneedforstoringcertainsubnetmask() which computes ceil(prefixbitlength / 8), returning up to 32 bytes for a prefixbitlength of 255. The result is used as the length argument to memcpy() (line 106), which copies into a 4-byte uint32t stack variable (prefixipv4). This causes a stack buffer overflow of up to 28 bytes, which can be exploited for arbitrary code execution. Additionally, the unvalidated prefixbitlength is passed to convertcidrtobinarynetmasklocalfunctioncopy() (line 111), where a shift of (32 - cidr) with cidr > 32 causes undefined behavior.