Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
An out-of-bounds read in the ParseIP6Extended function (/bgp/bgp.go) of gobgp v4.3.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP UPDATE message.
AnalysisAI
Remote attackers can crash GoBGP v4.3.0 by sending a malformed BGP UPDATE message that triggers an out-of-bounds read in IPv6 extended community parsing. The flaw allows unauthenticated denial of service against default configurations with no authentication required (CVSS AV:N/AC:L/PR:N/UI:N). No public exploit identified at time of analysis, and EPSS score of 0.02% (4th percentile) indicates very low observed exploitation probability. Upstream fixes available via GitHub commits 362cce3e and 9ce8936.
Technical ContextAI
GoBGP is a BGP (Border Gateway Protocol) implementation written in Go, commonly used in software-defined networking and route server deployments. The vulnerability resides in the ParseIP6Extended function within the BGP packet parsing code (pkg/packet/bgp/bgp.go). CWE-125 (out-of-bounds read) occurs when the parser processes IPv6 Extended Communities path attributes in BGP UPDATE messages. The commit diff shows the validation check was increased from requiring 8 bytes minimum to 20 bytes, indicating the parser was attempting to read IPv6 extended community data beyond allocated buffer boundaries when given malformed or truncated attributes. BGP UPDATE messages carry routing information between peers and are a standard attack vector for protocol implementations, as they must parse untrusted network data.
RemediationAI
Apply upstream fixes from GitHub commits 362cce3e325f56e7a4f792ccb9689b3bdda9e682 and 9ce8936672ebc07df524da77fa4c6ae26d92be6d, which increase the buffer length validation from 8 to 20 bytes in ParseIP6Extended. Check GoBGP release notes for a patched version incorporating these commits (released patched version not independently confirmed from available data - verify with osrg/gobgp project releases). Workarounds include disabling IPv6 Extended Communities support if not operationally required (configuration: neighbor policy to reject UPDATE messages with IPv6 extended community attributes), though this may break IPv6 MPLS VPN or other services relying on this BGP capability. Implement BGP session authentication (TCP-MD5 or TCP-AO per RFC 5925) to restrict UPDATE message sources to trusted peers, reducing attack surface from unauthenticated remote to authenticated adjacencies. Filter or rate-limit BGP UPDATE messages at network ingress if processing untrusted BGP feeds. Note: Disabling IPv6 extended communities breaks RFC 5701 functionality for VPNv6 deployments.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26999
GHSA-wmvj-f67g-qg4g