CVE-2022-26127 – CVE-2022-26127 is a buffer overflow vulnerabili... (How to Fix)

Q: What is the severity of CVE-2022-26127?

CVE-2022-26127 has a CVSS score of 7.8 (HIGH). CVE-2022-26127 is a buffer overflow vulnerability in FRRouting's Babel routing protocol daemon that allows remote attackers to execute arbitrary code or cause denial of service. The vulnerability affects FRRouting installations with Babel protocol enabled, particularly network devices and servers running affected versions. Attackers can exploit this by sending specially crafted Babel packets to vulnerable systems.

📋 TL;DR

CVE-2022-26127 is a buffer overflow vulnerability in FRRouting's Babel routing protocol daemon that allows remote attackers to execute arbitrary code or cause denial of service. The vulnerability affects FRRouting installations with Babel protocol enabled, particularly network devices and servers running affected versions. Attackers can exploit this by sending specially crafted Babel packets to vulnerable systems.

💻 Affected Systems

Products:

FRRouting

Versions: All versions through 8.1.0

Operating Systems: Linux-based systems, Network appliances using FRRouting

Default Config Vulnerable: ✅ No

Notes: Only vulnerable if Babel routing protocol is enabled and configured. Systems without Babel enabled are not affected.

📦 What is this software?

Frrouting by Frrouting

View all CVEs affecting Frrouting →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, allowing attackers to install malware, pivot to other systems, or disrupt network operations.

🟠

Likely Case

Denial of service causing routing instability, network outages, or system crashes affecting network connectivity.

🟢

If Mitigated

Limited impact if proper network segmentation, firewalls, and access controls prevent unauthorized access to Babel ports.

🌐 Internet-Facing: MEDIUM - Risk exists if Babel protocol is exposed to untrusted networks, but Babel is typically used internally.

🏢 Internal Only: HIGH - Babel is commonly used in internal network routing, making internal systems vulnerable to lateral movement attacks.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires sending crafted packets to the Babel daemon port (typically UDP 6696). No authentication is required if network access is available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: FRRouting 8.2 and later

Vendor Advisory: https://github.com/FRRouting/frr/issues/10487

Restart Required: Yes

Instructions:

1. Update FRRouting to version 8.2 or later. 2. For Debian/Ubuntu: apt update && apt install frr. 3. Restart FRRouting service: systemctl restart frr. 4. Verify Babel daemon is running correctly.

🔧 Temporary Workarounds

Disable Babel Protocol

linux

Temporarily disable Babel routing protocol if not essential for network operations

systemctl stop babeld
frr-reload.py --disable babeld

Network Access Control

linux

Restrict access to Babel port (UDP 6696) using firewall rules

iptables -A INPUT -p udp --dport 6696 -j DROP
ufw deny 6696/udp

🧯 If You Can't Patch

Implement strict network segmentation to isolate Babel traffic to trusted networks only
Deploy intrusion detection systems to monitor for anomalous Babel packet patterns

🔍 How to Verify

Check if Vulnerable:

Check FRRouting version: frr --version. If version is 8.1.0 or earlier and Babel is enabled, system is vulnerable.

Check Version:

frr --version

Verify Fix Applied:

Verify FRRouting version is 8.2 or later: frr --version. Check Babel daemon status: systemctl status babeld.

📡 Detection & Monitoring

Log Indicators:

Babel daemon crash logs in /var/log/frr/babeld.log
System logs showing segmentation faults in babeld process

Network Indicators:

Unusually large Babel packets to UDP port 6696
Multiple malformed Babel protocol packets from single source

SIEM Query:

source="babeld.log" AND ("segmentation fault" OR "buffer overflow" OR "crash")

📊 Metadata

CVE ID: CVE-2022-26127

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-119

Published: March 3, 2022

Last Updated: November 4, 2025

🔗 References

https://github.com/FRRouting/frr/issues/10487 Exploit,Issue Tracking,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/04/msg00019.html
https://github.com/FRRouting/frr/issues/10487 Exploit,Issue Tracking,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/04/msg00019.html
https://lists.debian.org/debian-lts-announce/2024/09/msg00007.html

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-26127, you might also want to check these: