VDB
CVE-2022-37035
CVE-2022-37035
PUBLISHED
An issue was discovered in bgpd in FRRouting (FRR) 8.3. In bgp_notify_send_with_data() and bgp_process_packet() in bgp_packet.c, there is a possible use-after-free due to a race condition. This could lead to Remote Code Execution or Information Disclosure by sending crafted BGP packets. User interaction is not needed for exploitation.
EPSS 2.65% · 86.1th percentile
Risk Scores
EPSS Score
2.65%
86.1th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| n/a | n/a | * |
| frrouting | frrouting | 8.3 |
Timeline
- Aug 2, 2022 CVE Published
- Aug 3, 2022 EPSS Score
- Aug 11, 2022 EPSS Score
- Nov 4, 2022 EPSS Score
- Dec 20, 2022 EPSS Score
- Feb 5, 2023 EPSS Score
- Mar 23, 2023 EPSS Score
- May 8, 2023 EPSS Score
- Jun 24, 2023 EPSS Score
- Aug 9, 2023 EPSS Score
- Nov 10, 2023 EPSS Score
- Dec 27, 2023 EPSS Score
References
- https://docs.google.com/document/d/1TqYEcZbFeDTMKe2N4XRFwyAjw_mynIHfvzwbx1fmJj8/edit?usp=sharing url
- https://github.com/FRRouting/frr/issues/11698 url
- [debian-lts-announce] 20240428 [SECURITY] [DLA 3797-1] frr security update mailing-list
- https://lists.debian.org/debian-lts-announce/2024/09/msg00007.html url
- https://nvd.nist.gov/vuln/detail/CVE-2022-37035 advisory