A critical (CVSS 9.8) off-by-one heap buffer overflow in FastNetMon Community Edition through 1.2.9 allows unauthenticated remote attackers to corrupt heap metadata via crafted NetFlow, sFlow, IPFIX, or BGP traffic.
What Is It
CVE-2026-48689 is a CWE-787 out-of-bounds write in the dynamic_binary_buffer_t class defined in src/dynamic_binary_buffer.hpp. Five methods, append_dynamic_buffer, append_data_as_pointer, append_data_as_object_ptr, memcpy_from_ptr, and memcpy_from_object_ptr, use an incorrect bounds check of the form if (offset + length > maximum_internal_storage_size + 1) instead of the correct if (offset + length > maximum_internal_storage_size). The off-by-one permits writing exactly one byte past the end of the heap-allocated buffer. Notably, the sibling append_byte() method uses the correct check, confirming the inconsistency is a bug rather than an intended pattern.
Why It Matters
The vulnerability scores CVSS 3.1 9.8 (CRITICAL) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, network-reachable, no authentication, no user interaction, and full confidentiality, integrity, and availability impact. The affected class is used pervasively in BGP message encoding/decoding, NetFlow template processing, and Flow Spec NLRI construction. Any attacker able to send network traffic (NetFlow, sFlow, IPFIX, or BGP) to a FastNetMon instance can trigger the overflow, potentially achieving arbitrary code execution by corrupting heap metadata. FastNetMon instances are typically deployed at network ingress points where they parse untrusted flow data, expanding the practical exposure.
What's Vulnerable
- Product: FastNetMon Community Edition
- Affected versions: all versions up to and including 1.2.9 (CPE
cpe:2.3:a:pavel-odintsov:fastnetmon:*:*:*:*:community:*:*:*) - Vulnerable component:
dynamic_binary_buffer_tinsrc/dynamic_binary_buffer.hpp - Attack surface: NetFlow, sFlow, IPFIX, and BGP message handling paths
Patch Status
The supplied NVD record does not list a fixed version or vendor advisory URL. References point to the upstream project repository and the source file containing the bug, along with a third-party advisory tagged as containing exploit detail. CISA KEV does not currently list this CVE, so there is no confirmed active exploitation in the wild per KEV at time of writing. Operators running FastNetMon Community Edition ≤ 1.2.9 should monitor the upstream repository for a patched release and restrict flow/BGP ingress to trusted sources in the interim.