Stack-based Buffer Overflow Affecting radvd-debuginfo package, versions <0:2.19-2.amzn2023.0.3
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-AMZN2023-RADVDDEBUGINFO-17290993
- published10 Jun 2026
- disclosed19 Jun 2026
Introduced: 10 Jun 2026
NewCVE-2026-48715 (opens in a new tab)How to fix?
Upgrade Amazon-Linux:2023 radvd-debuginfo to version 0:2.19-2.amzn2023.0.3 or higher.
This issue was patched in ALAS2023-2026-1799.
NVD Description
Note: Versions mentioned in the description apply only to the upstream radvd-debuginfo package and not the radvd-debuginfo package as distributed by Amazon-Linux.
See How to fix? for Amazon-Linux:2023 relevant fixed versions and status.
radvd is a router advertisement daemon for IPv6. Prior to version 2.21, the radvdump utility shipped with radvd contains a stack buffer overflow in the Route Information option parser. When processing a crafted ICMPv6 Router Advertisement, print_ff() copies up to 2032 bytes from attacker-controlled packet data into a 16-byte struct in6_addr on the stack, overflowing by up to 2016 bytes. Note that the main radvd daemon is not affected by the vulnerability. Version 2.21 patches the issue.