VSA-2026-022: LLDPD vulnerability in VLAN decapsulation
| Published | Updated | Severity | CVSS 4.0 | Affected products |
|---|---|---|---|---|
| 2026-06-23 | 2026-06-23 | 🟢 Low | Not available yet | - XCP-ng 8.3 |
The lldpd project recently disclosed a vulnerability affecting an optional package that could be installed on XCP-ng 8.3. For Vates products, we classify the impact as Low as the vulnerability does not rely on the supported XCP-ng use cases. For details on how we assign severity levels, see our Severity Levels Explained page.
Summary​
When decoding VLAN tags from received Ethernet frames, lldpd_decode() calls memmove() to shift the frame payload 4 bytes to the left.
As a result, when the received frame size equals the interface MTU, the call reads 4 bytes past the end of the malloc(h_mtu) allocation.
This issue only exists when the received frame size equals the interface's MTU.
Impact​
This issue is pre-authentication and limited to Layer 2 adjacency. Any device on the same broadcast domain can trigger it by sending a VLAN-tagged LLDP/CDP/EDP/SONMP frame. The consequence is typically a denial of service.
Affected Versions​
- XCP-ng 8.3: Affected (optional package).
Mitigation​
There are no known mitigations.
Resolution​
As of 2026-06-23, the lldpd- packages for XCP-ng 8.3 have been updated to address this issue.
List of packages fixing this issue:
- XCP-ng 8.3:
lldpd-1.0.4-1.2.xcpng8.3
Credits​
This issue was discovered by Tristan Madani (@TristanInSec), Talence Security.