CVE-2026-46433
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk3th percentile - higher than 3% of all known CVEs
Summary
In lldpd prior to version 1.0.22, there is a bug in the lldpd_decode() function that leads to a heap buffer over-read. This issue arises from incorrect byte count calculation, which may result in memory violations.
Risk Assessment
Organizations may be exposed to attacks exploiting this bug, potentially leading to unauthorized memory access or system instability. Specifically, attackers could leverage this issue to read sensitive data.
Recommendation
It is recommended to update lldpd to version 1.0.22 or later to mitigate this vulnerability. Additionally, monitoring and auditing network configurations can help identify potential threats.
Original NVD description (English source)
lldpd is an implementation of IEEE 802.1ab (LLDP). Prior to version 1.0.22, lldpd_decode() in src/daemon/lldpd.c strips 802.1Q VLAN tags from received Ethernet frames by calling memmove() to shift the frame payload 4 bytes left. The third argument (byte count) is s - 2 * ETHER_ADDR_LEN but should be s - 2 * ETHER_ADDR_LEN - 4, causing a 4-byte heap buffer over-read past the malloc(h_mtu) allocation when the received frame size equals the interface MTU. This issue has been patched in version 1.0.22.

