Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CA+W5nyiFPweL5LDEKpUSJAo8NhKQz53o=d=9HBdHipQ7d0N3Mw@mail.gmail.com>
Date: Tue, 2 Jun 2026 10:07:29 +0800
From: Bakabaka_9 <qilunuobakabaka9@...il.com>
To: oss-security@...ts.openwall.com
Subject: BIRD/BIRD2: stack buffer overflow in BGP AS_PATH mask matching, CVE pending

Hi oss-security,

I would like to disclose a vulnerability in BIRD 2.x's BGP AS_PATH
mask matching code.

Summary
=======

BIRD 2.x can crash when evaluating a crafted BGP AS_PATH with an AS
path mask filter, for example a filter using syntax similar to:

  bgp_path ~ [= ... =]

The issue is triggered during AS_PATH mask matching, involving the
path expansion and matching logic used by as_path_match(). A sufficiently
large or specially crafted AS_PATH can exceed a fixed-size stack buffer
used during matching.

The confirmed impact is denial of service of the BIRD daemon. Memory
corruption was observed under AddressSanitizer. Code execution has not
been demonstrated.

Affected versions
=================

Tested affected:

- BIRD 2.16.2

Possibly affected:

- Other BIRD 2.x versions using the same AS_PATH mask matching
  implementation.

Not affected:

- Unknown.

Fixed version
=============

No fixed version is available at the time of this disclosure.

CVE
===

A CVE ID was requested from MITRE on 2026-05-28, but no CVE ID has
been assigned yet.

Impact
======

A malicious or compromised BGP peer can send a crafted AS_PATH that is
accepted by BIRD and later evaluated by a local AS path mask filter.

When the crafted AS_PATH is evaluated by the path mask matching logic,
BIRD may overflow a stack buffer and crash. This causes denial of
service of the routing daemon, BGP session resets, and possible route
withdrawal or route instability depending on the deployment.

The confirmed impact is remote peer-triggered denial of service.
Memory corruption was observed under ASan. Remote code execution has
not been demonstrated.

Attack requirements
===================

The following conditions are required to trigger the issue:

- The attacker must be able to establish a BGP session with the target
  BIRD instance, or otherwise send accepted BGP UPDATE messages as a
  configured or trusted peer.

- The target configuration must evaluate the received AS_PATH with an
  AS path mask, for example by using a filter expression such as:

    bgp_path ~ [= ... =]

- The issue is easier to trigger when BGP Extended Messages are enabled,
  because larger UPDATE messages allow larger path attributes.

- Confederation AS_PATH segments may make simple length-based
  mitigations unreliable, depending on how the local filter checks
  AS_PATH length before path mask evaluation.

This is not known to be directly exploitable by an unauthenticated
Internet host unless that host can become an accepted BGP peer.

Technical details
=================

The vulnerable code path is in the AS_PATH mask matching logic. During
matching, BIRD expands or processes AS_PATH data for comparison against
an AS path mask. The matching logic uses a fixed-size stack buffer, but
the effective expanded path representation can exceed that buffer for
large or specially crafted AS_PATH attributes.

In a local test environment, a crafted AS_PATH received from a BGP peer
and evaluated by a filter using AS path mask matching caused an
AddressSanitizer-detected stack buffer overflow and terminated the BIRD
process.

The reproducer used a local lab with two BIRD instances configured as
BGP peers. A full weaponized reproducer, raw BGP UPDATE payload, and
packet capture are not included in this initial disclosure.

Mitigation
==========

Until an upstream fix is available, operators should consider the
following mitigations:

- Avoid applying AS path mask matching to routes received from
  untrusted or semi-trusted BGP peers.

- Avoid using filters such as:

    bgp_path ~ [= ... =]

  on untrusted input unless AS_PATH size and structure are strictly
  bounded before evaluation.

- Do not enable BGP Extended Messages for untrusted peers unless they
  are required.

- Reject unusually large AS_PATH attributes before any AS path mask
  matching is performed.

- Be careful with simple bgp_path.len based checks, as confederation
  AS_PATH segments may not be accounted for in the same way as they are
  expanded or processed during matching.

- Restrict BGP sessions to trusted peers.

- Use TCP MD5, TCP-AO, GTSM/TTL security, strict prefix/AS_PATH policy,
  and session-level filtering where applicable.

- Monitor for unexpected bird/bird2 crashes and BGP session resets.

- Run BIRD under systemd hardening and automatic restart policies as a
  defense-in-depth measure.

Upstream status
===============

The issue was reported to CZ.NIC on 2026-05-02.

On 2026-05-24, CZ.NIC stated that they do not currently plan to fix
the issue.

No fixed release is available at the time of this disclosure.

Timeline
========

2026-05-02: Vulnerability discovered.
2026-05-02: Reported to CZ.NIC.
2026-05-03: CZ.NIC acknowledged the report.
2026-05-24: CZ.NIC stated that they do not currently plan to fix the issue.
2026-05-28: CVE requested from MITRE.
2026-06-02: Public disclosure on oss-security.

References
==========

- BIRD project: https://bird.network.cz/
- Upstream report: private report to CZ.NIC, not publicly available
- Proposed patch: not available
- CVE request: pending

Credits
=======

Discovered by Bakabaka_9.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.