CVE-2026-46433 is a heap out-of-bounds read vulnerability in lldpd, the open-source Link Layer Discovery Protocol daemon, triggered during VLAN decapsulation via a flawed memmove operation. An attacker able to send crafted LLDP frames on an adjacent network could exploit this to read sensitive memory contents, potentially leaking information from affected hosts. This affects Azure environments where lldpd is running on underlying infrastructure or customer-managed VMs.

Security Architect’s Take: Audit your Azure VMs and container hosts for any running instances of lldpd and apply vendor patches promptly; where lldpd is unnecessary, disable or remove it entirely to reduce attack surface, particularly on network-adjacent workloads.

Original advisory: CVE-2026-46433 lldpd: Heap OOB Read in VLAN Decapsulation memmove