GoBGP CVE-2026-49837
MEDIUMSeverity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
AV:N for network-delivered BGP OPEN; AC:H because attacker must reach TCP/179 in a typically restricted peer environment; I:H for AS validation manipulation; C:N and A:N per explicit vendor exclusion of those impact classes.
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
1DescriptionGitHub Advisory
Summary
GoBGP contains a BGP OPEN capability parsing issue where several concrete capability decoders may parse data from the full remaining capability buffer instead of the slice bounded by the declared capability length, CapLen. A malformed BGP OPEN message can cause bytes from a following capability to be interpreted as part of the current capability. The most security-relevant case is the 4-octet AS capability, where a capability with CapLen == 0 may cause the parser to read bytes from the following capability as the 4-octet AS value. This parsed value may later affect peer AS validation during BGP session establishment.
Details
The issue is in the BGP OPEN capability parser under:
pkg/packet/bgp/bgp.gopkg/packet/bgp/validate.go
- The BGP OPEN optional parameter capability format includes a capability code, a capability length field, and a capability value. Each concrete capability decoder should only parse bytes inside the declared capability value boundary. In affected versions, the generic capability parser records the declared CapLen, but several concrete capability decoders continue parsing from the full remaining capability buffer after advancing past the two-byte capability header. Conceptually, the vulnerable pattern is:
data = data[2:]
// decoder reads from data without first limiting it to CapLen
### PoC
The following parser-level proof of concept demonstrates the issue without requiring a full BGP session or a running `bgpd` instance.
The malformed capability uses:
- Capability Code: `65` (`BGP_CAP_FOUR_OCTET_AS_NUMBER`)
- Declared `CapLen`: `0`
- Four following bytes: `00 00 fd e8`
Although the capability declares an empty value, affected versions parse the following four bytes as the 4-octet AS value `65000`.
### Impact
A remote peer that can send a malformed BGP OPEN message to a GoBGP instance may cause capability values to be parsed from outside their declared `CapLen` boundaries.
In the 4-octet AS capability case, this may affect:
- peer AS validation;
- capability negotiation;
- interpretation of malformed OPEN messages;
- acceptance or rejection decisions during BGP session establishment.
This issue does not appear to be arbitrary memory corruption, remote code execution, or information disclosure. It is a protocol parser boundary validation issue that can affect BGP OPEN validation semantics.AnalysisAI
Boundary validation failure in GoBGP's BGP OPEN capability parser allows a remote peer to send a malformed OPEN message that causes concrete capability decoders to read beyond the declared CapLen field, enabling attacker-controlled bytes to be interpreted as capability values - most critically, as a 4-octet AS number that influences peer AS validation and BGP session establishment decisions. Affected is GoBGP v4 (pkg:go/github.com_osrg_gobgp_v4), with the 4-octet AS capability (code 65) identified as the highest-impact case. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must be able to reach the GoBGP instance on TCP port 179 and initiate a BGP session establishment - the malformed OPEN message is delivered during the initial handshake before the session is fully established, so no authenticated or established BGP session is required. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-provided CVSS 3.1 score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N) reflects network-accessible exploitation with high attack complexity and a high integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with TCP connectivity to a GoBGP instance on port 179 sends a crafted BGP OPEN message containing a 4-octet AS capability (code 65) with CapLen set to 0, immediately followed by four bytes encoding an arbitrary AS number such as 0x0000fde8 (AS 65000). The GoBGP parser advances past the two-byte capability header, reads the following four bytes from the unconstrained remaining buffer as the AS value despite the declared zero-length, and uses this attacker-influenced value during peer AS validation - potentially causing the session to be accepted or rejected based on the attacker-supplied AS identity rather than the legitimate capability data. … |
| Remediation | Consult the GitHub Security Advisory GHSA-gjrg-jjr3-56cm at https://github.com/osrg/gobgp/security/advisories/GHSA-gjrg-jjr3-56cm for the authoritative fixed release version; no specific patched version number was confirmed in the available intelligence data, so the upstream fix should be treated as 'available per vendor advisory - released version not independently confirmed.' As a compensating control while awaiting a patched release, restrict inbound TCP access to port 179 on GoBGP instances to only explicitly configured, trusted peer IP addresses using host-based or perimeter firewall rules - this directly limits who can deliver a malformed OPEN message, though it does not eliminate risk if a trusted peer is itself compromised. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-125 – Out-of-bounds Read
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-gjrg-jjr3-56cm