Skip to main content

GoBGP CVE-2026-37462

| EUVDEUVD-2026-34101 HIGH
Integer Overflow or Wraparound (CWE-190)
2026-06-03 mitre GHSA-pw7p-7fqv-hpj8
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
7.3 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

8
Analysis Updated
Jun 04, 2026 - 14:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 04, 2026 - 14:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 04, 2026 - 14:22 vuln.today
cvss_changed
CVSS changed
Jun 04, 2026 - 14:22 NVD
7.3 (HIGH) 7.5 (HIGH)
Source Code Evidence Fetched
Jun 03, 2026 - 19:25 vuln.today
Analysis Generated
Jun 03, 2026 - 19:25 vuln.today
CVSS changed
Jun 03, 2026 - 19:22 NVD
7.3 (HIGH)
CVE Published
Jun 03, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

An integer underflow in the BGPUpdate.DecodeFromBytes function (/bgp/bgp.go) of gobgp v4.3.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP UPDATE message.

AnalysisAI

Denial of service in GoBGP v4.3.0 allows unauthenticated remote attackers to crash or hang BGP speakers by sending a malformed BGP UPDATE message that triggers an integer underflow in the BGPUpdate.DecodeFromBytes parser. The underflow causes uint16 length counters (routelen and pathlen) to wrap to ~65k, leading the parser to silently consume the buffer or fail in ways that disrupt session processing. EPSS is very low (0.04%) and there is no public exploit identified at time of analysis, but the upstream commit demonstrating the bug is publicly visible.

Technical ContextAI

GoBGP is an open-source BGP (Border Gateway Protocol) implementation written in Go, widely used as a routing daemon and library in network automation, SDN, and route-server deployments. The flaw is a CWE-190 integer overflow/underflow in /pkg/packet/bgp/bgp.go: when decoding a BGP UPDATE, the parser subtracts the length of a withdrawn route or path attribute from a uint16 counter without first validating that the subtrahend does not exceed the remaining counter, so a crafted UPDATE whose announced WithdrawnRoutesLen or TotalPathAttributeLen is smaller than the actual encoded element causes the counter to wrap from a small value to ~65533/65535. The committed fix (9ce8936) adds explicit boundary checks that return a BGP MessageError before the subtraction occurs.

RemediationAI

Upstream fix available (commit 9ce8936672ebc07df524da77fa4c6ae26d92be6d on osrg/gobgp); a released patched version is not independently confirmed from the provided data, so operators should upgrade to the first tagged GoBGP release that includes this commit after v4.3.0, or apply the patch directly to vendored copies of pkg/packet/bgp/bgp.go. As compensating controls until upgrade, restrict BGP TCP/179 to known peer IPs at the host or perimeter firewall, enforce TCP-MD5 or TCP-AO authentication on all BGP sessions so only trusted neighbors can deliver UPDATE messages, and where supported deploy GTSM (RFC 5082) for eBGP sessions; these reduce exposure to malicious or spoofed peers but do not protect against a legitimate peer that is itself compromised. Operators should also monitor gobgpd for unexpected session resets and consider rate-limiting session re-establishment to limit DoS amplification.

Vendor StatusVendor

SUSE

Severity: High

Share

CVE-2026-37462 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy