FastNetMon Community Edition through 1.2.9 contains multiple out-of-bounds reads in the BGP MPREACHNLRI IPv6 attribute decoder. The function decodempreachipv6() in src/bgpprotocol.cpp contains a TODO comment at line 156 explicitly acknowledging 'we should add sanity checks to avoid reads after attribute memory block.' The function casts raw pointers to structure types without verifying sufficient data exists (line 158), uses the attacker-controlled lengthofnexthop field to determine memcpy size (line 181), and computes prefixlength by dereferencing a pointer calculated from multiple attacker-controlled offsets without bounds validation (line 189). The prefixlength is then used to calculate numberofbytesrequiredforprefix which becomes a memcpy length (line 202) with no check against remaining buffer size.