Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 903757 (CVE-2022-36440, CVE-2022-37032) - <net-misc/frr-8.4.1: DoS vulnerability via reachable assertion
Summary: <net-misc/frr-8.4.1: DoS vulnerability via reachable assertion
Alias: CVE-2022-36440, CVE-2022-37032
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa?]
Depends on:
Reported: 2023-04-04 04:22 UTC by John Helmert III
Modified: 2023-12-27 00:23 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-04 04:22:14 UTC
CVE-2022-36440 (

A reachable assertion was found in Frrouting frr-bgpd 8.3.0 in the peek_for_as4_capability function. Attackers can maliciously construct BGP open packets and send them to BGP peers running frr-bgpd, resulting in DoS.

Looks like there's another unpublished "vulnerability" irresponsibly
disclosed in this person's Github account, a heap buffer overread:

Reported upstream at:
Comment 1 Larry the Git Cow gentoo-dev 2023-04-04 08:07:52 UTC
The bug has been referenced in the following commit(s):

commit d73e4bec2216ced5da63e04932f79f1f5b8468c4
Author:     Jakov Smolić <>
AuthorDate: 2023-04-04 08:03:36 +0000
Commit:     Jakov Smolić <>
CommitDate: 2023-04-04 08:06:18 +0000

    net-misc/frr: add 8.5
    Signed-off-by: Jakov Smolić <>

 net-misc/frr/Manifest       |   1 +
 net-misc/frr/frr-8.5.ebuild | 149 ++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 150 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-16 18:29:45 UTC
Fixed in 8.4 onwards according to upstream.