Your message dated Tue, 02 Jun 2026 10:19:40 +0000
with message-id <[email protected]>
and subject line Bug#1138646: fixed in fastnetmon 1.2.9-1
has caused the Debian Bug report #1138646,
regarding fastnetmon: CVE-2026-48689 CVE-2026-48688 CVE-2026-48696
CVE-2026-48695 CVE-2026-48694 CVE-2026-48691 CVE-2026-48690 CVE-2026-48687
CVE-2026-48686 CVE-2026-48685 CVE-2026-48684 CVE-2026-48683
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1138646: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138646
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: fastnetmon
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for fastnetmon.
Most of these are harmless, but two (CVE-2026-48689 and CVE-2026-48688)
are relevant.
All links to commits etc. in the
https://security-tracker.debian.org/tracker/source-package/fastnetmon
entries for each CVE.
There's also three other reports, which are not fixed upstream in
1.2.9 (but this bug only tracks the issues fixed in 1.2.9):
CVE-2026-48689[0]:
| FastNetMon Community Edition through 1.2.9 contains an off-by-one
| heap-based buffer overflow in the dynamic_binary_buffer_t class
| (src/dynamic_binary_buffer.hpp). Five methods
| (append_dynamic_buffer, append_data_as_pointer,
| append_data_as_object_ptr, memcpy_from_ptr, memcpy_from_object_ptr)
| use an incorrect bounds check of the form 'if (offset + length >
| maximum_internal_storage_size + 1)' instead of the correct 'if
| (offset + length > maximum_internal_storage_size)'. This allows
| writing exactly one byte past the end of the heap-allocated buffer.
| The class is used pervasively in BGP message encoding/decoding,
| NetFlow template processing, and Flow Spec NLRI construction. An
| attacker who can send network traffic (NetFlow, sFlow, IPFIX, or
| BGP) to a FastNetMon instance can trigger this overflow, potentially
| achieving arbitrary code execution by corrupting heap metadata.
| Notably, the append_byte() method uses the correct bounds check,
| confirming the inconsistency.
CVE-2026-48688[1]:
| FastNetMon Community Edition through 1.2.9 contains multiple out-of-
| bounds reads in the BGP MP_REACH_NLRI IPv6 attribute decoder. The
| function decode_mp_reach_ipv6() in src/bgp_protocol.cpp contains a
| TODO comment at line 156 explicitly acknowledging 'we should add
| sanity checks to avoid reads after attribute memory block.' The
| function casts raw pointers to structure types without verifying
| sufficient data exists (line 158), uses the attacker-controlled
| length_of_next_hop field to determine memcpy size (line 181), and
| computes prefix_length by dereferencing a pointer calculated from
| multiple attacker-controlled offsets without bounds validation (line
| 189). The prefix_length is then used to calculate
| number_of_bytes_required_for_prefix which becomes a memcpy length
| (line 202) with no check against remaining buffer size.
CVE-2026-48696[2]:
| FastNetMon Community Edition through 1.2.9 has a buffer overflow, a
| different vulnerability than CVE-2026-48686 and CVE-2026-48689.
CVE-2026-48695[3]:
| FastNetMon Community Edition through 1.2.9 contains an OS command
| injection vulnerability in the MikroTik router integration plugin.
| The _log() function in src/mikrotik_plugin/fastnetmon_mikrotik.php
| (lines 107-108) constructs shell commands by concatenating the $msg
| parameter directly into exec() calls: exec("echo `date` \"-
| {FASTNETMON] - " . $msg . " \" >> " . $FILE_LOG_TMP). This is
| identical in pattern to the Juniper plugin vulnerability. The $msg
| variable contains unsanitized attack data from command-line
| arguments. An attacker who can influence argv[] values can inject
| arbitrary shell commands. The fix is to replace exec() with
| file_put_contents() or use escapeshellarg().
CVE-2026-48694[4]:
| FastNetMon Community Edition through 1.2.9 contains a configuration
| injection vulnerability in the Juniper router integration plugin. In
| src/juniper_plugin/fastnetmon_juniper.php, the $IP_ATTACK variable
| (received from argv[1]) is directly interpolated into Juniper
| NETCONF set-configuration commands at lines 69 and 90 without any
| validation or sanitization. Line 69:
| $conn->load_set_configuration("set routing-options static route
| {$IP_ATTACK} community 65535:666 discard"). Line 90:
| $conn->load_set_configuration("delete routing-options static route
| {$IP_ATTACK}/32"). An attacker who can control the IP address string
| can inject additional Juniper CLI configuration commands by
| embedding newline characters followed by arbitrary set/delete
| commands. This could modify the router's routing table, firewall
| filters, user accounts, or any other configuration element
| accessible via NETCONF. The impact is full router compromise.
CVE-2026-48691[5]:
| FastNetMon Community Edition through 1.2.9 contains an integer
| overflow in the BGP AS_PATH attribute encoder. In
| src/bgp_protocol.hpp, the IPv4UnicastAnnounce::get_attributes()
| function computes attribute_length as
| 'sizeof(bgp_as_path_segment_element_t) + this->as_path_asns.size() *
| sizeof(uint32_t)' and stores it in a uint8_t field (line 600-605).
| Since uint8_t can only hold values 0-255, an AS_PATH containing more
| than 63 ASNs (2 + 64*4 = 258 > 255) causes silent truncation. The
| truncated length is used for buffer sizing, while the actual data
| written is the full untruncated amount, resulting in a heap buffer
| overflow. Similarly, the path_segment_length field at line 621 is
| also uint8_t, truncating with more than 255 ASNs.
CVE-2026-48690[6]:
| FastNetMon Community Edition through 1.2.9 contains an integer
| overflow vulnerability in the packet capture buffer allocation. In
| src/packet_storage.hpp, the allocate_buffer() function computes
| memory_size_in_bytes as 'buffer_size_in_packets *
| (max_captured_packet_size + sizeof(fastnetmon_pcap_pkthdr_t)) +
| sizeof(fastnetmon_pcap_file_header_t)' using unsigned int (32-bit)
| arithmetic. With max_captured_packet_size=1500 and
| sizeof(fastnetmon_pcap_pkthdr_t)=16, each packet requires
| approximately 1516 bytes. If buffer_size_in_packets exceeds
| approximately 2,832,542, the multiplication overflows, resulting in
| a much smaller allocation than expected. Subsequent write_packet()
| calls then write past the allocated buffer, causing heap corruption.
| The buffer_size_in_packets value is derived from the
| ban_details_records_count configuration parameter, which is parsed
| using atoi() with no overflow checking.
CVE-2026-48687[7]:
| FastNetMon Community Edition through 1.2.9 contains an OS command
| injection vulnerability in the Juniper router integration plugin.
| The _log() function in src/juniper_plugin/fastnetmon_juniper.php
| (lines 117-118) constructs shell commands by concatenating the $msg
| parameter directly into exec() calls: exec("echo `date` \"-
| {FASTNETMON] - " . $msg . " \" >> " . $FILE_LOG_TMP). The $msg
| variable contains unsanitized data derived from command-line
| arguments argv[1] through argv[3], which represent the attack IP
| address, direction, and power. While FastNetMon's C++ core currently
| passes IP addresses via inet_ntoa() (which only produces safe
| dotted-decimal notation), the PHP script performs no input
| validation or shell escaping. If the script is invoked directly, by
| another orchestration system, or if future code changes pass string-
| sourced IPs, arbitrary commands can be injected. The correct fix is
| to replace exec() with file_put_contents() or use escapeshellarg()
| on all parameters.
CVE-2026-48686[8]:
| FastNetMon Community Edition through 1.2.9 contains a stack-based
| buffer overflow in the BGP NLRI (Network Layer Reachability
| Information) decoder. The function
| decode_bgp_subnet_encoding_ipv4_raw() in src/bgp_protocol.cpp reads
| prefix_bit_length directly from the BGP packet (line 99) without
| validating it is <= 32 for IPv4 prefixes. This value is passed to
| how_much_bytes_we_need_for_storing_certain_subnet_mask() which
| computes ceil(prefix_bit_length / 8), returning up to 32 bytes for a
| prefix_bit_length of 255. The result is used as the length argument
| to memcpy() (line 106), which copies into a 4-byte uint32_t stack
| variable (prefix_ipv4). This causes a stack buffer overflow of up to
| 28 bytes, which can be exploited for arbitrary code execution.
| Additionally, the unvalidated prefix_bit_length is passed to
| convert_cidr_to_binary_netmask_local_function_copy() (line 111),
| where a shift of (32 - cidr) with cidr > 32 causes undefined
| behavior.
CVE-2026-48685[9]:
| FastNetMon Community Edition through 1.2.9 has out-of-bounds memory
| access because it incorrectly parses BGP path attributes with the
| extended length flag set. In src/bgp_protocol.hpp, the
| parse_raw_bgp_attribute() function correctly identifies when
| extended_length_bit is set and sets length_of_length_field to 2, but
| then reads only a single byte for the attribute value length
| (attribute_value_length = value[2] at line 173). Per RFC 4271
| Section 4.3, when the Extended Length bit is set, the Attribute
| Length field is two octets and the value should be read as a 16-bit
| big-endian integer from value[2] and value[3]. As a result, any
| attribute longer than 255 bytes has its length silently truncated to
| the low byte (e.g., 300 bytes = 0x012C is read as 0x2C = 44 bytes).
| The remaining 256 bytes are then misinterpreted as subsequent
| attributes, causing cascading parse failures and potential out-of-
| bounds memory access.
CVE-2026-48684[10]:
| FastNetMon Community Edition through 1.2.9 contains an out-of-bounds
| read in the NetFlow v9 options template parser. In
| process_netflow_v9_options_template()
| (src/netflow_plugin/netflow_v9_collector.cpp), the scope parsing
| loop (lines 224-229) iterates until scopes_offset reaches the
| attacker-controlled option_scope_length value, reading
| netflow9_template_flowset_record_t structures at each step. No
| bounds check validates that (zone_address + scopes_offset +
| sizeof(record)) stays within the flowset. The same issue affects the
| options field loop (lines 241-257) with option_length. Furthermore,
| option_scope_length is not validated to be a multiple of
| sizeof(netflow9_template_flowset_record_t), potentially causing
| misaligned reads. An attacker can trigger reads past the end of the
| UDP packet buffer.
CVE-2026-48683[11]:
| FastNetMon Community Edition through 1.2.9 contains an out-of-bounds
| read vulnerability in the NetFlow v9 data flowset processor. In
| src/netflow_plugin/netflow_v9_collector.cpp, the Data template
| branch (lines 1695-1702) iterates over flow records without
| performing a per-iteration bounds check against the packet end
| pointer. In contrast, the Options template branch (lines 1709-1719)
| correctly checks 'if (pkt + offset + field_template->total_length >
| packet_end)' before each iteration. The Data branch omits this check
| entirely. Since template definitions are sent by the network peer
| (and are unauthenticated UDP), an attacker can craft templates that
| cause the parser to read arbitrary memory past the packet buffer.
| This can leak sensitive memory contents or cause a crash.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-48689
https://www.cve.org/CVERecord?id=CVE-2026-48689
[1] https://security-tracker.debian.org/tracker/CVE-2026-48688
https://www.cve.org/CVERecord?id=CVE-2026-48688
[2] https://security-tracker.debian.org/tracker/CVE-2026-48696
https://www.cve.org/CVERecord?id=CVE-2026-48696
[3] https://security-tracker.debian.org/tracker/CVE-2026-48695
https://www.cve.org/CVERecord?id=CVE-2026-48695
[4] https://security-tracker.debian.org/tracker/CVE-2026-48694
https://www.cve.org/CVERecord?id=CVE-2026-48694
[5] https://security-tracker.debian.org/tracker/CVE-2026-48691
https://www.cve.org/CVERecord?id=CVE-2026-48691
[6] https://security-tracker.debian.org/tracker/CVE-2026-48690
https://www.cve.org/CVERecord?id=CVE-2026-48690
[7] https://security-tracker.debian.org/tracker/CVE-2026-48687
https://www.cve.org/CVERecord?id=CVE-2026-48687
[8] https://security-tracker.debian.org/tracker/CVE-2026-48686
https://www.cve.org/CVERecord?id=CVE-2026-48686
[9] https://security-tracker.debian.org/tracker/CVE-2026-48685
https://www.cve.org/CVERecord?id=CVE-2026-48685
[10] https://security-tracker.debian.org/tracker/CVE-2026-48684
https://www.cve.org/CVERecord?id=CVE-2026-48684
[11] https://security-tracker.debian.org/tracker/CVE-2026-48683
https://www.cve.org/CVERecord?id=CVE-2026-48683
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: fastnetmon
Source-Version: 1.2.9-1
Done: Patrick Matthäi <[email protected]>
We believe that the bug you reported is fixed in the latest version of
fastnetmon, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Patrick Matthäi <[email protected]> (supplier of updated fastnetmon package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 02 Jun 2026 11:42:27 +0200
Source: fastnetmon
Architecture: source
Version: 1.2.9-1
Distribution: unstable
Urgency: high
Maintainer: Patrick Matthäi <[email protected]>
Changed-By: Patrick Matthäi <[email protected]>
Closes: 1138646
Changes:
fastnetmon (1.2.9-1) unstable; urgency=high
.
* New upstream release.
- This release fixes various security issues: CVE-2026-48689,
CVE-2026-48688, CVE-2026-48696, CVE-2026-48695, CVE-2026-48694,
CVE-2026-48691, CVE-2026-48690, CVE-2026-48687, CVE-2026-48686,
CVE-2026-48685, CVE-2026-48684 and CVE-2026-48683.
Closes: #1138646
Checksums-Sha1:
a4e5d6e0fb0705521376e840890780f83a408b07 2262 fastnetmon_1.2.9-1.dsc
9e3df6f71458194ac08f5360e286ea7385ebd75d 1530122 fastnetmon_1.2.9.orig.tar.gz
11841e30d7191e3bd0e47fc8a16d0e56a33337d6 5072 fastnetmon_1.2.9-1.debian.tar.xz
1e2212f2d42ef58769d2948bfa2800170d0dabe4 7181
fastnetmon_1.2.9-1_source.buildinfo
Checksums-Sha256:
e078fb8f5c0a79e9301f3a734c094d5a22f28f39027f684a788f6070973695b9 2262
fastnetmon_1.2.9-1.dsc
a219e6dd30ad60ed0562243c7830dba053f740c28cee9cb70ac0b78a5121e4dd 1530122
fastnetmon_1.2.9.orig.tar.gz
83fd9a092d3c3c357e2433f8b3d82bfa0a30ef6b4d3446ba97d7b426c57793eb 5072
fastnetmon_1.2.9-1.debian.tar.xz
584a871370287580b77667e89b736e5ab0b195ed3693e62ffa979d9e5f086b75 7181
fastnetmon_1.2.9-1_source.buildinfo
Files:
8ea3ad466b0c680b535917f7c7ba23fa 2262 net optional fastnetmon_1.2.9-1.dsc
ea57ea1db13ae50ce12b32d1a2945238 1530122 net optional
fastnetmon_1.2.9.orig.tar.gz
4e194dae4797db3cce32b39b61d44e01 5072 net optional
fastnetmon_1.2.9-1.debian.tar.xz
0daaf446ef7fa598b614054771741b9a 7181 net optional
fastnetmon_1.2.9-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEWKA9xYJCWk3IuQ4TEtmwSpDL2OQFAmoeqCoACgkQEtmwSpDL
2OQO3A//fF+J7cZj2tYNKo5h6rt7paiBOquj0NbzqYH9CdKa4ozlRNsA1Q8u0JNd
0tYb/VcC9sd2fyHt1ByVTb3vypIQ0BZJnyglJNWGwiyBbA0E0wq6IPLGAh8D6YHi
FjXeupfMIbZn2HfV6b8Rftny240kuc786J9+kbxB6h0bKYW2LhOJ+BcuncXzR8C3
P0R1fvSssWPrjh9t40jDrkmrOnQSk0S1XGvCBaKqx1Rr8I0TUCOWu+6jZbo6kzft
nrK+eAZy1yWhAwtrh1f4xpNnaJpQmm6ggOnjxc8zYfzn/6fGZ7sVqkgUKSI1e4sS
VBLUWQXNY+4DwHnvAXqPhXdVXYLq4Xsjkx1dZzYZ4BPC7iA0BrpEUKfDB8eMWd/E
w+X/TQ9tV2Jotv7Qt9ZRyuwH0AQKST7GfisUEgac7nGJvgajqOm/a4F9oFhS/fwm
3LmuOQKZpl8oadJD8Pbf4EwECmHNGumB0eh281lUjxktWahE69jn3coF8N5HYm+B
7285MAooaPny6krQW8a1LDrK17DwR4VX8f9ZXhTjiJHzeXO+mcrW9YC8fpDcR05G
vn/DZ0UeDu8adPIShlqw3SWQ0TB/0aC03+ICcJ/mlLlWxCb/VteLlnMxUa1KEPbd
6NL/X1pi2DjYb3c3HTJONulOfMqhBK0UhGmDwdVqGURic4yKpME=
=RSSE
-----END PGP SIGNATURE-----
pgpxcSzs5NBqz.pgp
Description: PGP signature
--- End Message ---
