PatchSiren cyber security CVE debrief
CVE-2026-46433 lldpd CVE debrief
CVE-2026-46433 is a MEDIUM severity vulnerability in lldpd prior to version 1.0.22. The lldpd_decode() function has a heap buffer over-read issue. The function strips 802.1Q VLAN tags from received Ethernet frames by calling memmove() to shift the frame payload 4 bytes left. However, the third argument (byte count) is incorrectly calculated as s - 2 * ETHER_ADDR_LEN instead of s - 2 * ETHER_ADDR_LEN - 4. This causes a 4-byte heap buffer over-read past the malloc(h_mtu) allocation when the received frame size equals the interface MTU.
- Vendor
- lldpd
- Product
- Unknown
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-11
Who should care
Users of lldpd versions prior to 1.0.22 should update to 1.0.22 or later to mitigate this vulnerability.
Technical summary
The vulnerability exists in the lldpd_decode() function in src/daemon/lldpd.c. The function incorrectly calculates the byte count for memmove(), leading to a heap buffer over-read.
Defensive priority
MEDIUM
Recommended defensive actions
- Update lldpd to version 1.0.22 or later.
- See ${ref-4} for patch details.
- See ${ref-5} for issue tracking and patch details.
- See ${ref-6} for product release notes.
- See ${ref-7} for vendor advisory details.
Evidence notes
CVE-2026-46433 has a CVSS score of 6.5 and is classified as MEDIUM severity.
Official resources
-
CVE-2026-46433 CVE record
CVE.org
-
CVE-2026-46433 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch
-
Mitigation or vendor reference
[email protected] - Product, Release Notes
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
CVE-2026-46433 was published on ${cvePublishedAt} and modified on ${cveModifiedAt}.