High

Buffer Overflow in Fortinet FortiSwitchAXFixed LLDP Packet Processing

IdentifiersCVE-2026-22627CWE-120· Buffer Copy without Checking Size…

CVE-2026-22627 is a classic buffer overflow vulnerability in Fortinet FortiSwitchAXFixed affecting versions 1.0.0 through 1.0.1. According to the provided content, the flaw is caused by copying attacker-controlled input without proper size validation during processing of LLDP data, specifically the LLDP OUI field. A crafted LLDP packet sent from the same adjacent network can trigger memory corruption on the device. Because the vulnerable code path is reachable without authentication, a nearby attacker can exploit the overflow to execute unauthorized code or commands on the affected FortiSwitchAXFixed device.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation may result in memory corruption leading to unauthorized code or command execution on the affected switch. Given the unauthenticated attack surface and network-adjacent reachability via LLDP, compromise of a vulnerable device could enable full device takeover, disruption of switching functions, and use of the switch as a foothold for further activity within the local network segment.

Mitigation

If you can’t patch tonight, do this now.

Until patches can be applied, reduce exposure by limiting or filtering LLDP traffic to trusted adjacent devices where operationally feasible, disabling LLDP on untrusted or unnecessary interfaces if business requirements permit, and segmenting management and switching infrastructure from untrusted local network access. Monitor for anomalous LLDP traffic and signs of device instability or unexpected command execution. Because exploitation is unauthenticated from the adjacent network, restricting physical and Layer 2 access to switch-connected segments is an important compensating control.

Remediation

Patch, then assume compromise.

Upgrade FortiSwitchAXFixed to a vendor-fixed release that is not affected by CVE-2026-22627. The provided content states that versions 1.0.0 through 1.0.1 are vulnerable; administrators should verify installed versions against Fortinet's advisory and apply the corresponding Fortinet patch or updated firmware from the FortiGuard PSIRT guidance.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

FortinetFortiswitchaxfixedapplication

FortinetMultiple Fortinet Productsapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

cyber security newsNews

Mar 10, 2026

Fortinet Security Update - Patch for Multiple Vulnerabilities That Enable Malicious Command Execution

Classic buffer overflow in the LLDP OUI field of FortiSwitchAXFixed that could enable memory corruption and potentially arbitrary code execution.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity1