Release date: 27 May, 2026
Version: 2.0.380
This release includes multiple security fixes and stability improvements across BGP, Flow Spec, Netflow v9, IPFIX, packet parsing, and internal buffer handling code. It addresses several vulnerabilities (CVE-2026-48682, CVE-2026-48683, CVE-2026-48684, CVE-2026-48686, CVE-2026-48688, CVE-2026-48689, CVE-2026-48690, and CVE-2026-48691) through stricter boundary validation, safer parsing logic, integer overflow protections, and expanded test coverage.
The release also includes improvements to Netflow v9 and IPFIX processing, enhanced Flow Spec parser safety, full support for all BGP origin types, and a complete rework of remote host unban logic with new configuration controls and attack direction detection.
We strongly recommend all FastNetMon users upgrade immediately to this release.
Full list of changes
- Added explicit block when we try to encode too long ASPATH to avoid uint8_t overflow, CVE-2026-48691
- Added full support of all origin types. Previously we had hardcoded BGP_ORIGIN_INCOMPLETE
- Addressed integer overflow for pcap buffer allocation logic, CVE-2026-48690
- Tightened security of decode_mp_reach_attribute_to_ipv6_announce with all required extensive security checks, CVE-2026-48688
- Add test for single byte next hop for IPv6 announce
- Tightened number of flows per IPFIX packet to 256
- Added additional boundary checks in process_netflow_v9_data() to ensure that no read outside of flowset is happening, CVE-2026-48683
- Reduced number of allowed flow per packet for Netflow v9 from 0x4000 to 256
- Added strict check that Netflow v9 options records and scopes sections must be in 4 byte chunks
- Added check to ensure that we do not read outside of packet in IPFIX template mode, CVE-2026-48684
- Multiple improvements for Netflow v9 templates code
- Disabled 'Flow duration' log message in IPFIX code which flooded logs
- Added sanity check before we read scope offset for Netflow v9 options templates, CVE-2026-48684
- Full tests for process_netflow_v9_options_template and process_netflow_packet_v9
- Fixed multiple issues with boundaries check off by one in dynamic_binary_buffer_t, CVE-2026-48689
- More strict Flow Spec reader logic if read_one_or_more_values_encoded_with_operator_byte returned error
- Migrated Flow Spec wire parser to use safe version of decode_bgp_subnet_encoding_ipv4. Removed decode_bgp_subnet_encoding_ipv4 entirely due to unsafety issues, CVE-2026-48686
- Full Flow Spec test coverage for encode and decode
- Added sanity check for logic which decoded IPv4 prefixes from the wire. It addresses security issues in code
- Removed duplicate function convert_cidr_to_binary_netmask_local_function_copy
- Added test for how_much_bytes_we_need_for_storing_certain_subnet_mask
- Addressed security issue in packet parser for IP packets which affects all plugins with exception Netflow and IPFIX. IP packet with artifically high IHL / header length may trigger read outside of allowed memory region, CVE-2026-48682
- Fully implemented unban logic for remote hosts with unban_remote_host_only_if_attack_finished support
- Added unban_remote_host_only_if_attack_finished
- Added options unban_remote_host_enabled_ipv4, unban_remote_host_enabled_ipv6, ban_time_remote_host_ipv4, ban_time_remote_host_ipv6 to control remote unban logic
- Reworked remote unban logic to use queue and run callback script
- Added attack direction detection for remote attacks
- Added field notify_script_remote_path to control path for remote script callback
- Breaking change: we're removed logic to define per direction remote hostgroups using names remote_host_incoming and remote_host_outgoing. Pleae use name name remote_host which includes thresholds for both directions
