EUVD-2026-17091CVSS Vector
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Description
A security flaw has been discovered in osrg GoBGP up to 4.3.0. This affects the function DecodeFromBytes of the file pkg/packet/bgp/bgp.go of the component BGP OPEN Message Handler. Performing a manipulation of the argument domainNameLen results in improper access controls. The attack may be initiated remotely. A high degree of complexity is needed for the attack. The exploitability is reported as difficult. The patch is named 2b09db390a3d455808363c53e409afe6b1b86d2d. It is suggested to install a patch to address this issue.
Analysis
Improper access control in osrg GoBGP up to 4.3.0 allows remote attackers to manipulate the domainNameLen parameter in BGP OPEN Message processing, resulting in integrity compromise through the DecodeFromBytes function. The vulnerability requires high attack complexity and has low real-world risk despite network-accessible attack vector; no public exploit code or confirmed active exploitation has been identified. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Priority Score
Vendor Status
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | vulnerable | 2.25.0-2 | - |
| bookworm | vulnerable | 3.10.0-1 | - |
| trixie | vulnerable | 3.36.0-2 | - |
| forky, sid | vulnerable | 4.3.0-1 | - |
| (unstable) | fixed | (unfixed) | - |
Share
External POC / Exploit Code
Leaving vuln.today