Vulnerability DatabaseCVE-2026-48715
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-48715
Published:June 19, 2026
Updated:June 29, 2026
radvd is a router advertisement daemon for IPv6. Prior to version 2.21, the "radvdump" utility shipped with radvd contains a stack buffer overflow in the Route Information option parser. When processing a crafted ICMPv6 Router Advertisement, "print_ff()" copies up to 2032 bytes from attacker-controlled packet data into a 16-byte "struct in6_addr" on the stack, overflowing by up to 2016 bytes. Note that the main "radvd" daemon is not affected by the vulnerability. Version 2.21 patches the issue.
Affected Packages
https://github.com/radvd-project/radvd.git (GITHUB):
Affected version(s) >=v0.4.1 <v2.21
Fix Suggestion:
Update to version v2.21
Related Resources (2)
https://github.com/radvd-project/radvd/commit/068bde13e3fd6a5fcdb6859e6a2acd293a325dc5
https://github.com/radvd-project/radvd/security/advisories/GHSA-52px-gh9p-m379
Do you need more information?
Contact Us
CVSS v4
Base Score:
7.7
Attack Vector
ADJACENT
Attack Complexity
HIGH
Attack Requirements
PRESENT
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
7.5
Attack Vector
ADJACENT
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Weakness Type (CWE)
Stack-based Buffer Overflow
CWE-121
EPSS
Base Score:
0.20