CVE-2026-48684

NameCVE-2026-48684
DescriptionFastNetMon Community Edition through 1.2.9 contains an out-of-bounds read in the NetFlow v9 options template parser. In process_netflow_v9_options_template() (src/netflow_plugin/netflow_v9_collector.cpp), the scope parsing loop (lines 224-229) iterates until scopes_offset reaches the attacker-controlled option_scope_length value, reading netflow9_template_flowset_record_t structures at each step. No bounds check validates that (zone_address + scopes_offset + sizeof(record)) stays within the flowset. The same issue affects the options field loop (lines 241-257) with option_length. Furthermore, option_scope_length is not validated to be a multiple of sizeof(netflow9_template_flowset_record_t), potentially causing misaligned reads. An attacker can trigger reads past the end of the UDP packet buffer.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1138646

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
fastnetmon (PTS)bookworm, bookworm (security)1.2.4-2+deb12u1vulnerable
trixie1.2.8-1vulnerable
forky, sid1.2.9-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
fastnetmonsource(unstable)1.2.9-1unimportant1138646

Notes

https://lorikeetsecurity.com/blog/fastnetmon-cve-2026-48684-netflow-v9-options-oob
Not a vulnerability by itself, controlling access is the responsibility of the deployment
https://github.com/pavel-odintsov/fastnetmon/commit/aa1069abaa8624e50b5d0c6c8ccd0f5d9ddc111e (v1.2.9)
https://github.com/pavel-odintsov/fastnetmon/pull/1057
Search for package or bug name: Reporting problems