CVE-2026-46433

Description

lldpd is an implementation of IEEE 802.1ab (LLDP). Prior to version 1.0.22, lldpd_decode() in src/daemon/lldpd.c strips 802.1Q VLAN tags from received Ethernet frames by calling memmove() to shift the frame payload 4 bytes left. The third argument (byte count) is s - 2 * ETHER_ADDR_LEN but should be s - 2 * ETHER_ADDR_LEN - 4, causing a 4-byte heap buffer over-read past the malloc(h_mtu) allocation when the received frame size equals the interface MTU. This issue has been patched in version 1.0.22.

CVSS breakdown

CVSS 3.1

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Affected products

lldpd / lldpd< 1.0.22 – < 1.0.22

References

VENDOR_ADVISORYhttps://github.com/lldpd/lldpd/security/advisories/GHSA-2g8p-2h3j-63m3
PATCHhttps://github.com/lldpd/lldpd/pull/787
PATCHhttps://github.com/lldpd/lldpd/commit/ca931be63a9cae0fcd8e9b6ae4e916d49f141cd6
PATCHhttps://github.com/lldpd/lldpd/releases/tag/1.0.22