CVE-2025-61107 – A NULL pointer dereference vulnerability in FRR... (How to Fix)

Q: What is the severity of CVE-2025-61107?

CVE-2025-61107 has a CVSS score of 7.5 (HIGH). A NULL pointer dereference vulnerability in FRRouting's OSPF implementation allows attackers to crash the routing daemon via specially crafted LSA Update packets. This affects FRRouting versions 4.0 through 10.4.1, causing denial of service to network routing. Organizations using FRRouting for OSPF routing are vulnerable to service disruption.

📋 TL;DR

A NULL pointer dereference vulnerability in FRRouting's OSPF implementation allows attackers to crash the routing daemon via specially crafted LSA Update packets. This affects FRRouting versions 4.0 through 10.4.1, causing denial of service to network routing. Organizations using FRRouting for OSPF routing are vulnerable to service disruption.

💻 Affected Systems

Products:

FRRouting (frr)

Versions: v4.0 through v10.4.1

Operating Systems: Linux, FreeBSD, Other Unix-like systems running FRRouting

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with OSPF enabled and configured. The vulnerability is in the OSPF extension prefix preference SID functionality.

📦 What is this software?

Frrouting by Frrouting

View all CVEs affecting Frrouting →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete routing daemon crash leading to network-wide routing failures, potential cascading outages in dependent systems, and extended service disruption until manual restart.

🟠

Likely Case

Targeted OSPF router crashes causing localized network segmentation, dropped traffic, and manual intervention required to restore service.

🟢

If Mitigated

Isolated router failure with minimal impact due to redundant routing protocols or quick failover mechanisms.

🌐 Internet-Facing: MEDIUM - Requires OSPF adjacency with attacker, but OSPF is often used on internal networks rather than internet-facing interfaces.

🏢 Internal Only: HIGH - OSPF is commonly deployed internally; attackers with network access can exploit this to disrupt internal routing.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW - Requires sending crafted OSPF LSA Update packets to vulnerable router.

Exploitation requires network access to OSPF adjacency. No authentication needed for OSPF protocol packets.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v10.4.2 and later, backported to earlier versions via commit fdd957408605d4a1766225630aafc7e6b7c3daf3

Vendor Advisory: https://github.com/FRRouting/frr/issues/19471

Restart Required: Yes

Instructions:

1. Update FRRouting to version 10.4.2 or later. 2. Apply the patch from commit fdd957408605d4a1766225630aafc7e6b7c3daf3 if using older versions. 3. Restart the FRRouting service.

🔧 Temporary Workarounds

Disable OSPF Extensions

linux

Disable OSPF extension prefix preference SID functionality if not required.

router ospf
no capability ext-prefix-pref-sid

OSPF Authentication

linux

Enable OSPF MD5 authentication to prevent unauthorized OSPF adjacency.

interface <interface>
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 <key>

🧯 If You Can't Patch

Implement strict network segmentation to limit OSPF adjacency to trusted routers only.
Deploy network monitoring to detect anomalous OSPF traffic patterns and potential exploitation attempts.

🔍 How to Verify

Check if Vulnerable:

Check FRRouting version with 'frr --version' or 'show version' in FRRouting CLI. If version is between 4.0 and 10.4.1 inclusive, and OSPF is enabled, system is vulnerable.

Check Version:

frr --version

Verify Fix Applied:

Verify FRRouting version is 10.4.2 or later, or check if commit fdd957408605d4a1766225630aafc7e6b7c3daf3 is applied in git history.

📡 Detection & Monitoring

Log Indicators:

FRRouting daemon crash logs
OSPF adjacency flapping
Unexpected OSPF LSA updates in logs

Network Indicators:

Unusual OSPF packet patterns
OSPF adjacency resets from unknown sources
Increased OSPF traffic to specific routers

SIEM Query:

source="frr.log" AND ("segmentation fault" OR "NULL pointer" OR "ospf_ext.c")

📊 Metadata

CVE ID: CVE-2025-61107

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-476

EPSS Score: 0.08% exploit probability (23.8th percentile)

Published: October 28, 2025

Last Updated: October 31, 2025

🔗 References

https://github.com/FRRouting/frr/issues/19471 Exploit,Issue Tracking,Third Party Advisory
https://github.com/FRRouting/frr/pull/19480 Issue Tracking,Third Party Advisory
https://github.com/FRRouting/frr/pull/19480/commits/fdd957408605d4a1766225630aafc7e6b7c3daf3 Patch
https://github.com/s1awwhy/BugList/blob/main/CVE-2025-61107.md Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-61107, you might also want to check these: