A critical stack-based buffer overflow vulnerability in the BIRD Internet Routing Daemon, tracked as CVE-2026-49943, allows remote attackers to trigger a buffer overflow through crafted BGP AS_PATH attributes. BIRD is one of the most widely deployed open-source BGP routing daemons, used by internet exchanges, hosting providers, content delivery networks, and enterprises for core internet routing. The vulnerability affects BIRD versions through 2.19.0.
What Is the Vulnerability?
CVE-2026-49943 is a stack-based buffer overflow in BIRD’s BGP AS_PATH mask matching implementation in nest/a-path.c. The as_path_match() function, which processes BGP AS_PATH attributes — the list of Autonomous Systems that a route has traversed — does not properly validate input sizes, allowing a specially crafted BGP UPDATE message with a malicious AS_PATH to overflow a stack buffer.
BGP (Border Gateway Protocol) is the routing protocol that connects the internet — it determines how data flows between networks worldwide. BIRD is a BGP daemon that runs on route servers at internet exchange points (IXPs), border routers at ISPs and hosting providers, and enterprise edge routers. A compromised BGP router can be used to: hijack IP prefixes (redirecting traffic to attacker-controlled networks), blackhole traffic (causing denial of service), or intercept and manipulate traffic flows. A buffer overflow in the AS_PATH processing code is particularly dangerous because AS_PATH attributes are present in every BGP UPDATE message and are processed before any policy filters are applied.
- CVSS v3.1 Score: 9.8 (Critical)
- CWE: CWE-121 (Stack-Based Buffer Overflow)
- Attack Vector: Network — via BGP peering session
Which Versions Are Affected?
- BIRD Internet Routing Daemon: all versions through 2.19.0
Is It Being Exploited in the Wild?
No active exploitation has been publicly reported. However, BGP vulnerabilities are high-value targets for nation-state actors and sophisticated threat groups. The attack requires a BGP peering session — either established legitimately or through BGP hijacking of an existing session — which raises the attack complexity but is well within the capabilities of advanced adversaries.
What Is the Fix?
Update BIRD to a version that includes the fix for CVE-2026-49943. Monitor the BIRD project’s release page and your distribution’s package repositories for the patched version. After updating, verify the BIRD version with bird --version and restart the BIRD service.
Recommendations
Patch BIRD immediately on all BGP-speaking routers. This is a CVSS 9.8 buffer overflow in core internet routing infrastructure. Prioritise route servers at IXPs and border routers that peer with external networks, as these have the broadest BGP attack surface.
Apply BGP security best practices: Implement RPKI (Resource Public Key Infrastructure) route origin validation, configure maximum prefix limits on all BGP peers, enable TTL security (GTSM), and use MD5 or TCP-AO authentication on BGP sessions. These measures do not prevent this specific vulnerability but provide defence-in-depth for BGP infrastructure.
Monitor BGP session logs after patching. Review BIRD logs for unexpected BGP UPDATE messages with unusually long AS_PATH attributes, and for any BIRD process crashes or restarts that could indicate exploitation attempts.
References
This advisory is covered in the broader Vulnerability Intelligence Report — June 4, 2026.
