Skip to main content

Gobgp CVE-2026-5123

| EUVDEUVD-2026-17109 MEDIUM
Off-by-one Error (CWE-193)
2026-03-30 VulDB
6.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Mar 30, 2026 - 16:00 euvd
EUVD-2026-17109
Analysis Generated
Mar 30, 2026 - 16:00 vuln.today
Patch released
Mar 30, 2026 - 16:00 nvd
Patch available
CVE Published
Mar 30, 2026 - 15:15 nvd
MEDIUM 6.3

DescriptionCVE.org

A weakness has been identified in osrg GoBGP up to 4.3.0. This impacts the function DecodeFromBytes of the file pkg/packet/bgp/bgp.go. Executing a manipulation of the argument data[1] can lead to off-by-one. The attack may be launched remotely. Attacks of this nature are highly complex. The exploitability is said to be difficult. This patch is called 67c059413470df64bc20801c46f64058e88f800f. A patch should be applied to remediate this issue.

AnalysisAI

Denial of service in osrg GoBGP up to version 4.3.0 via off-by-one error in the DecodeFromBytes function allows remote, unauthenticated attackers to crash the BGP daemon through manipulation of packet data, resulting in availability impact. The vulnerability requires high attack complexity and has difficult exploitability; no public exploit code or active exploitation is currently confirmed, though a patch is available from the vendor.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment This vulnerability presents low-to-moderate real-world risk despite network-reachable attack vector. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with network access to a GoBGP instance (either via direct BGP peering or if GoBGP is internet-exposed) sends a specially crafted BGP message with a malicious data[1] value that triggers the off-by-one boundary condition in DecodeFromBytes. This causes the GoBGP process to access memory beyond the intended buffer bounds, resulting in a segmentation fault or similar memory violation that crashes the BGP daemon and disrupts routing services. …
Remediation Upgrade osrg GoBGP to a version incorporating commit 67c059413470df64bc20801c46f64058e88f800f or later. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

Debian

gobgp
Release Status Fixed Version Urgency
bullseye vulnerable 2.25.0-2 -
bookworm vulnerable 3.10.0-1 -
trixie vulnerable 3.36.0-2 -
forky, sid vulnerable 4.3.0-1 -
(unstable) fixed (unfixed) -

Share

CVE-2026-5123 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy