Skip to main content

GoBGP CVE-2026-41643

HIGH
Improper Validation of Array Index (CWE-129)
2026-04-29 https://github.com/osrg/gobgp GHSA-8rxh-r2p6-7f2q
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
7.5 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Source Code Evidence Fetched
Apr 29, 2026 - 20:59 vuln.today
Analysis Generated
Apr 29, 2026 - 20:59 vuln.today
Analysis Generated
Apr 29, 2026 - 20:45 vuln.today
CVE Published
Apr 29, 2026 - 20:44 nvd
HIGH 7.5

DescriptionGitHub Advisory

Summary

A remote Denial of Service (DoS) vulnerability exists in GoBGP where a malformed BGP UPDATE message can trigger a runtime error: index out of range panic. This occurs during the processing of 4-byte AS attributes when the message structure causes an internal slice index shift that is not properly handled.

Details

The vulnerability is located in internal/pkg/table/message.go within the UpdatePathAttrs4ByteAs function.

When GoBGP processes a BGP UPDATE message containing both an AS_PATH and an AS4_PATH attribute, it attempts to merge or validate them to support 4-byte AS numbers. If the attributes are ordered such that AS4_PATH (Type 17) appears before AS_PATH (Type 2), and the AS4_PATH is deemed invalid/malformed, the code attempts to remove the AS4_PATH attribute from the msg.PathAttributes slice. It appears the crash happens due to an index shift in msg.PathAttributes:

#GoBGP v4.2.0
// Line 112: If AS4_PATH precedes AS_PATH, the deletion causes all subsequent attributes to shift left.
msg.PathAttributes = append(msg.PathAttributes[:as4AttrPos], msg.PathAttributes[as4AttrPos+1:]...)

// Line 206: The stale asAttrPos index is used here.
//The function continues to use the stale index (asAttrPos) to update the AS_PATH. Since the slice length has decreased, accessing the old index leads to a panic.
msg.PathAttributes[asAttrPos] = bgp.NewPathAttributeAsPath(newIntfParams)

This deletion causes all subsequent attributes in the slice to shift left by one position. However, the function continues to use the original asAttrPos index (calculated before the deletion) to access or modify the AS_PATH attribute later at Line 206. Because the slice is now shorter, the "stale" index points out of bounds, triggering a panic and crashing the entire GoBGP process.

PoC

Environment: * GoBGP version: 4.2.0 Configuration: Passive peering enabled. Reproduction Steps: Configure GoBGP with a neighbor (e.g., 192.168.31.195). Send a specially crafted BGP UPDATE hex payload:

ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
00 22 02
00 00
# Withdrawn Routes Length
00 0b
# Total Path Attribute Length
40 11 01 02
# AS4_PATH (Type 17, Len 1, Val 02) - Triggers the bug
40 02 04 ff ff de ad
# AS_PATH (Type 2, Len 4)

The GoBGP process will immediately crash with: panic: runtime error: index out of range [1] with length 1.

Impact

Vulnerability Type: Remote Denial of Service (DoS). Impacted Users: Any GoBGP deployment (v4.2.0 and earlier) that accepts BGP UPDATE messages from peers. Since this crash occurs in the FSM (Finite State Machine) handling loop, a single malicious peer or a malformed route propagated through a transit provider can consistently crash the BGP daemon, leading to a complete loss of routing capabilities.

AnalysisAI

Remote unauthenticated denial of service crashes GoBGP routing daemon via malformed BGP UPDATE message exploiting index-out-of-bounds panic. Attackers send crafted BGP UPDATE with AS4_PATH attribute preceding AS_PATH, causing slice index mismanagement in UpdatePathAttrs4ByteAs function (internal/pkg/table/message.go). Publicly available exploit code exists with hex-level proof-of-concept payload demonstrating immediate process termination. Affects GoBGP v4.2.0 and earlier; vendor-released patch v4.3.0 available per GitHub advisory GHSA-8rxh-r2p6-7f2q. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) reflects network-accessible, low-complexity attack requiring no privileges, resulting in complete routing service disruption.

Technical ContextAI

GoBGP implements Border Gateway Protocol (BGP-4) in Go for modern routing infrastructure. This vulnerability resides in RFC 6793 4-byte AS number transition code (UpdatePathAttrs4ByteAs function) that handles both legacy 2-byte AS_PATH (Type 2) and 4-byte AS4_PATH (Type 17) attributes. When processing UPDATE messages containing both attributes, the code attempts to merge or validate them to support modern 32-bit autonomous system numbers. The root cause is CWE-129 (Improper Validation of Array Index) manifesting as unsafe slice manipulation: when AS4_PATH is deemed malformed and removed from the msg.PathAttributes slice (line 112), the deletion shifts subsequent elements left, but the function continues using the stale asAttrPos index calculated before removal. Accessing this now-out-of-bounds index at line 206 triggers Go runtime panic, immediately terminating the process. This represents a classic time-of-check-time-of-use issue in memory-safe language runtime bounds checking, where defensive index recalculation after slice modification was omitted. The affected package pkg:go/github.com/osrg/gobgp/v4 versions <=4.2.0 all contain this logic flaw in BGP message parsing critical path.

RemediationAI

Upgrade immediately to GoBGP v4.3.0 or later, which contains vendor-confirmed fix for index management in UpdatePathAttrs4ByteAs function. Official patch details and release available at GitHub advisory https://github.com/osrg/gobgp/security/advisories/GHSA-8rxh-r2p6-7f2q. For environments unable to patch immediately, implement strict BGP route filtering using prefix-lists and AS-path access-lists to reject UPDATE messages from untrusted sources, though this provides incomplete protection as trusted peers may propagate malformed routes. Deploy BGP session authentication (TCP MD5 or TCP-AO per RFC 5925) to limit attack surface to authenticated peers only - reduces but does not eliminate risk since authenticated peers can still send malicious UPDATEs. Configure maximum-prefix limits and BGP update-delay timers to provide circuit-breaker behavior if route instability occurs. Enable process monitoring and auto-restart for GoBGP daemon to restore service quickly after crash, though this does not prevent repeated exploitation. Consider deploying redundant route reflectors or BGP speakers with staggered patching to maintain routing availability during remediation. Note that route filtering and authentication introduce operational complexity and may impact convergence time or legitimate route acceptance; test changes in lab environment before production deployment. No workaround fully mitigates risk - upgrade to v4.3.0 is the only complete remediation.

Vendor StatusVendor

SUSE

Severity: High

Share

CVE-2026-41643 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy