CVE-2022-26129 – CVE-2022-26129 is a buffer overflow vulnerabili... (How to Fix)

Q: What is the severity of CVE-2022-26129?

CVE-2022-26129 has a CVSS score of 7.8 (HIGH). CVE-2022-26129 is a buffer overflow vulnerability in FRRouting's Babel routing daemon due to improper length validation of sub-TLV fields in Babel protocol messages. Attackers can exploit this to crash the babeld service or potentially execute arbitrary code. Organizations running FRRouting with Babel protocol enabled are affected.

📋 TL;DR

CVE-2022-26129 is a buffer overflow vulnerability in FRRouting's Babel routing daemon due to improper length validation of sub-TLV fields in Babel protocol messages. Attackers can exploit this to crash the babeld service or potentially execute arbitrary code. Organizations running FRRouting with Babel protocol enabled are affected.

💻 Affected Systems

Products:

FRRouting (FRR)

Versions: All versions through 8.1.0

Operating Systems: Linux distributions including Debian, Ubuntu, CentOS, RHEL

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when Babel routing protocol is enabled and configured. Default FRR installations typically don't enable Babel by default.

📦 What is this software?

Frrouting by Frrouting

View all CVEs affecting Frrouting →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, allowing attackers to take control of routing infrastructure and pivot to other network segments.

🟠

Likely Case

Denial of service through babeld service crash, disrupting routing tables and causing network instability or outages.

🟢

If Mitigated

Limited to service restart if exploit attempts are detected and blocked by network controls, with minimal operational impact.

🌐 Internet-Facing: MEDIUM - Exploitation requires Babel protocol exposure to untrusted networks, which is less common than standard routing protocols.

🏢 Internal Only: LOW - Internal exploitation requires attacker access to the network segment where Babel protocol is used.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires sending specially crafted Babel protocol packets to vulnerable systems. No public exploit code has been identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: FRR 8.2 and later

Vendor Advisory: https://github.com/FRRouting/frr/issues/10503

Restart Required: Yes

Instructions:

1. Update FRR to version 8.2 or later using your distribution's package manager. 2. For Debian/Ubuntu: sudo apt update && sudo apt upgrade frr. 3. For RHEL/CentOS: sudo yum update frr. 4. Restart FRR services: sudo systemctl restart frr

🔧 Temporary Workarounds

Disable Babel Protocol

linux

If Babel routing protocol is not required, disable it to eliminate the attack surface.

sudo vtysh
configure terminal
no router babel
end
write memory

Network Segmentation

linux

Restrict Babel protocol traffic to trusted network segments using firewall rules.

sudo iptables -A INPUT -p udp --dport 6696 -s ! TRUSTED_NETWORK -j DROP

🧯 If You Can't Patch

Implement strict network access controls to limit Babel protocol (UDP port 6696) to trusted sources only.
Deploy intrusion detection systems to monitor for anomalous Babel protocol traffic patterns.

🔍 How to Verify

Check if Vulnerable:

Check FRR version: frr --version. If version is 8.1.0 or earlier and Babel is enabled, the system is vulnerable.

Check Version:

frr --version

Verify Fix Applied:

After patching, verify FRR version is 8.2 or later: frr --version. Confirm Babel functionality if required.

📡 Detection & Monitoring

Log Indicators:

FRR/babeld crash logs
Segmentation fault errors in system logs
Unexpected babeld service restarts

Network Indicators:

Unusual Babel protocol traffic patterns
Malformed Babel packets exceeding normal TLV lengths

SIEM Query:

source="frr.log" AND ("segmentation fault" OR "buffer overflow" OR "babeld crashed")

📊 Metadata

CVE ID: CVE-2022-26129

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-119

Published: March 3, 2022

Last Updated: November 4, 2025

🔗 References

https://github.com/FRRouting/frr/issues/10503 Exploit,Issue Tracking,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/04/msg00019.html
https://github.com/FRRouting/frr/issues/10503 Exploit,Issue Tracking,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/04/msg00019.html
https://lists.debian.org/debian-lts-announce/2024/09/msg00007.html

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-26129, you might also want to check these: