CVE-2022-26125 – CVE-2022-26125 is a buffer overflow vulnerabili... (How to Fix)

Q: What is the severity of CVE-2022-26125?

CVE-2022-26125 has a CVSS score of 7.8 (HIGH). CVE-2022-26125 is a buffer overflow vulnerability in FRRouting's IS-IS protocol implementation due to insufficient input validation of packet length. This allows attackers to potentially execute arbitrary code or cause denial of service by sending specially crafted IS-IS packets. Organizations running FRRouting versions through 8.1.0 with IS-IS enabled are affected.

📋 TL;DR

CVE-2022-26125 is a buffer overflow vulnerability in FRRouting's IS-IS protocol implementation due to insufficient input validation of packet length. This allows attackers to potentially execute arbitrary code or cause denial of service by sending specially crafted IS-IS packets. Organizations running FRRouting versions through 8.1.0 with IS-IS enabled are affected.

💻 Affected Systems

Products:

FRRouting

Versions: All versions through 8.1.0

Operating Systems: Linux-based systems running FRRouting

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when IS-IS protocol is enabled and configured. Systems without IS-IS enabled are not affected.

📦 What is this software?

Frrouting by Frrouting

View all CVEs affecting Frrouting →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, allowing attackers to gain control of the routing infrastructure.

🟠

Likely Case

Denial of service causing routing protocol instability and network disruption.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls preventing unauthorized IS-IS traffic.

🌐 Internet-Facing: MEDIUM - IS-IS routing protocols are typically used internally, but misconfigurations could expose them externally.

🏢 Internal Only: HIGH - IS-IS is commonly used in internal routing infrastructure, making vulnerable systems attractive targets.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires sending specially crafted IS-IS packets to vulnerable systems. No public exploit code has been identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 8.1.0, specifically 8.2 and later

Vendor Advisory: https://github.com/FRRouting/frr/issues/10507

Restart Required: Yes

Instructions:

1. Upgrade FRRouting to version 8.2 or later. 2. Stop FRRouting service. 3. Install updated package. 4. Restart FRRouting service. 5. Verify IS-IS adjacency re-establishment.

🔧 Temporary Workarounds

Disable IS-IS Protocol

linux

Temporarily disable IS-IS routing protocol if not required for network operations

router isis
no isis enable
end
write memory

Implement Access Control Lists

linux

Restrict IS-IS traffic to trusted sources only

access-list 1 permit 10.0.0.0 0.255.255.255
router isis
distribute-list 1 in
end
write memory

🧯 If You Can't Patch

Implement strict network segmentation to isolate IS-IS traffic to trusted segments only
Deploy network-based intrusion prevention systems to detect and block malicious IS-IS packets

🔍 How to Verify

Check if Vulnerable:

Check FRRouting version and IS-IS configuration: 'show version' and 'show running-config | include router isis'

Check Version:

frr --version || show version

Verify Fix Applied:

Verify FRRouting version is 8.2 or later: 'show version' and confirm IS-IS is functioning normally

📡 Detection & Monitoring

Log Indicators:

IS-IS protocol errors
FRRouting crash logs
Memory corruption warnings in system logs

Network Indicators:

Unusual IS-IS packet sizes
IS-IS protocol flaps
Routing table instability

SIEM Query:

source="frr.log" AND ("IS-IS error" OR "buffer overflow" OR "segmentation fault")

📊 Metadata

CVE ID: CVE-2022-26125

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-119

Published: March 3, 2022

Last Updated: November 4, 2025

🔗 References

https://github.com/FRRouting/frr/issues/10507 Exploit,Issue Tracking,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/04/msg00019.html
https://github.com/FRRouting/frr/issues/10507 Exploit,Issue Tracking,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/04/msg00019.html
https://lists.debian.org/debian-lts-announce/2024/09/msg00007.html

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-26125, you might also want to check these: