ALPINE-CVE-2017-16227

ALPINE-CVE-2017-16227 PUBLISHED CVSS 7.5 HIGH

The aspath_put function in bgpd/bgp_aspath.c in Quagga before 1.2.2 allows remote attackers to cause a denial of service (session drop) via BGP UPDATE messages, because AS_PATH size calculation for long paths counts certain bytes twice and consequently constructs an invalid message.

Risk Scores

CVSS v3.0

7.5

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products

Vendor	Product	Versions
Alpine:v3.5	quagga	0.99.23-r0, 0.99.22.4-r6, 0.99.22.4-r5
Alpine:v3.4	quagga	0, 0.99.11-r10, 0.99.11-r4
Alpine:v3.3	quagga	0.99.24.1-r5, 0.99.24.1-r4, 0.99.24.1-r3
Alpine:v3.6	quagga	0, 0.99.11-r10, 0.99.11-r4

Timeline

Oct 29, 2017 CVE Published
Nov 19, 2025 CVE Updated
Apr 30, 2026 Distribution Patch

References

https://security.alpinelinux.org/vuln/CVE-2017-16227 advisory

Open in Interactive Console →