Skip to main content

GoBGP CVE-2026-37461

| EUVDEUVD-2026-26999 HIGH
Out-of-bounds Read (CWE-125)
2026-05-04 mitre GHSA-wmvj-f67g-qg4g
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Source Code Evidence Fetched
May 05, 2026 - 16:23 vuln.today
Analysis Generated
May 05, 2026 - 16:23 vuln.today
CVSS changed
May 05, 2026 - 16:22 NVD
7.5 (HIGH)
EUVD ID Assigned
May 04, 2026 - 16:30 euvd
EUVD-2026-26999
CVE Published
May 04, 2026 - 00:00 nvd
N/A

DescriptionCVE.org

An out-of-bounds read in the ParseIP6Extended function (/bgp/bgp.go) of gobgp v4.3.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP UPDATE message.

AnalysisAI

Remote attackers can crash GoBGP v4.3.0 by sending a malformed BGP UPDATE message that triggers an out-of-bounds read in IPv6 extended community parsing. The flaw allows unauthenticated denial of service against default configurations with no authentication required (CVSS AV:N/AC:L/PR:N/UI:N). No public exploit identified at time of analysis, and EPSS score of 0.02% (4th percentile) indicates very low observed exploitation probability. Upstream fixes available via GitHub commits 362cce3e and 9ce8936.

Technical ContextAI

GoBGP is a BGP (Border Gateway Protocol) implementation written in Go, commonly used in software-defined networking and route server deployments. The vulnerability resides in the ParseIP6Extended function within the BGP packet parsing code (pkg/packet/bgp/bgp.go). CWE-125 (out-of-bounds read) occurs when the parser processes IPv6 Extended Communities path attributes in BGP UPDATE messages. The commit diff shows the validation check was increased from requiring 8 bytes minimum to 20 bytes, indicating the parser was attempting to read IPv6 extended community data beyond allocated buffer boundaries when given malformed or truncated attributes. BGP UPDATE messages carry routing information between peers and are a standard attack vector for protocol implementations, as they must parse untrusted network data.

RemediationAI

Apply upstream fixes from GitHub commits 362cce3e325f56e7a4f792ccb9689b3bdda9e682 and 9ce8936672ebc07df524da77fa4c6ae26d92be6d, which increase the buffer length validation from 8 to 20 bytes in ParseIP6Extended. Check GoBGP release notes for a patched version incorporating these commits (released patched version not independently confirmed from available data - verify with osrg/gobgp project releases). Workarounds include disabling IPv6 Extended Communities support if not operationally required (configuration: neighbor policy to reject UPDATE messages with IPv6 extended community attributes), though this may break IPv6 MPLS VPN or other services relying on this BGP capability. Implement BGP session authentication (TCP-MD5 or TCP-AO per RFC 5925) to restrict UPDATE message sources to trusted peers, reducing attack surface from unauthenticated remote to authenticated adjacencies. Filter or rate-limit BGP UPDATE messages at network ingress if processing untrusted BGP feeds. Note: Disabling IPv6 extended communities breaks RFC 5701 functionality for VPNv6 deployments.

Vendor StatusVendor

SUSE

Severity: High

Share

CVE-2026-37461 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy