Skip to main content

Gobgp CVE-2026-5122

| EUVDEUVD-2026-17091 MEDIUM
Improper Access Control (CWE-284)
2026-03-30 VulDB
6.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Mar 30, 2026 - 15:00 euvd
EUVD-2026-17091
Analysis Generated
Mar 30, 2026 - 15:00 vuln.today
Patch released
Mar 30, 2026 - 15:00 nvd
Patch available
CVE Published
Mar 30, 2026 - 14:15 nvd
MEDIUM 6.3

DescriptionCVE.org

A security flaw has been discovered in osrg GoBGP up to 4.3.0. This affects the function DecodeFromBytes of the file pkg/packet/bgp/bgp.go of the component BGP OPEN Message Handler. Performing a manipulation of the argument domainNameLen results in improper access controls. The attack may be initiated remotely. A high degree of complexity is needed for the attack. The exploitability is reported as difficult. The patch is named 2b09db390a3d455808363c53e409afe6b1b86d2d. It is suggested to install a patch to address this issue.

AnalysisAI

Improper access control in osrg GoBGP up to 4.3.0 allows remote attackers to manipulate the domainNameLen parameter in BGP OPEN Message processing, resulting in integrity compromise through the DecodeFromBytes function. The vulnerability requires high attack complexity and has low real-world risk despite network-accessible attack vector; no public exploit code or confirmed active exploitation has been identified. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment This vulnerability presents limited real-world risk despite its network-accessible attack vector. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A remote attacker on a network with BGP connectivity to a vulnerable GoBGP instance could craft a malicious BGP OPEN message with a manipulated domainNameLen parameter. Due to high attack complexity, the attacker would need detailed knowledge of GoBGP's message parsing logic and likely require specific network or system conditions to succeed. …
Remediation Upgrade osrg GoBGP to a patched version released after commit 2b09db390a3d455808363c53e409afe6b1b86d2d. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

Debian

gobgp
Release Status Fixed Version Urgency
bullseye vulnerable 2.25.0-2 -
bookworm vulnerable 3.10.0-1 -
trixie vulnerable 3.36.0-2 -
forky, sid vulnerable 4.3.0-1 -
(unstable) fixed (unfixed) -

Share

CVE-2026-5122 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy