FRR: BGP Session abort on bad attribute 255

A vulnerability exists in the BGP daemon of FRR where a malformed BGP UPDATE packet with an attribute 255 (reserved for experimental) can cause the BGP peering session to flap.



Document Version:


Posting date:

Jan 10, 2019

Program Impacted:

FRRouting “FRR” (bgpd) on any platforms if it is configured (during compile time) with --enable-vnc. This includes packages released by the FRR team and FreeBSD Ports

Versions affected:






FRR versions above do not conform to RFC 7606 (Revised Error Handling for BGP UPDATE Messages). Additionally, the VNC code (see was using BGP attribute 255 which is reserved for experimental use. The BGP attribute was never standardized and was accidently left enabled.

The Disco experiment ( ) which was run this early January, used attribute 255 for it’s tests. While all other routers forwarded this transitive attribute (as it was unknown to them), FRR tried to parse it as VNC but failed and as such closed the BGP session (as specified in RFC 4271 Page 74, event 28). The closing of the session in case of an invalid attribute was a requirement of the BGP standard before RFC 7606 changed the behaviour.

There is no compromise of data, but this will lead to a potential denial of service as unrelated routes will be withdrawn from the routing table.

CVSS v3 Base Score: 4.1

CVSS Equation:

For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit:


Rebuild with ‘–disable-bgp-vnc’ or upgrade to a fixed version

Active exploits:

Public known and discovered by a research project on the Internet (‘Disco experiment’).

Impacted Versions:

Non-impacted Versions:


On Linux with Redhat / Debian Packages:

Upgrade to

On FreeBSD:

Update ports and upgrade FRR afterwards. Verify to be on a fixed version (3.0.4, 4.0.1, 5.0.2, 6.0.2) after upgrade

Linux with snap packages:

Upgrade Snap package

Other distributions:

Contact your vendor or rebuild source with the new versions. As an alternative, if VNC is not used, a rebuild of the same version with `–disable-vnc’ in the configure options (during build time) can be used as well

Updated packages are available at and as source on GIT

Document Revision History:

1.0 10 Januar 2019 – Initial version


The issue was uncovered by the ‘Disco’ experiment on the live Internet.