Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from NVD.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
A vulnerability has been found in osrg GoBGP up to 4.3.0. This impacts the function SRv6L3ServiceAttribute.DecodeFromBytes of the file pkg/packet/bgp/prefix_sid.go of the component SRv6 L3 Service. Such manipulation of the argument data leads to denial of service. The attack may be performed from remote. Upgrading to version 4.4.0 will fix this issue. The name of the patch is f9f7b55ec258e514be0264871fa645a2c3edad11. You should upgrade the affected component.
AnalysisAI
Denial of service in osrg GoBGP up to version 4.3.0 allows remote attackers to trigger an infinite loop via malformed SRv6 L3 Service attributes in BGP packets. The vulnerability exists in the SRv6L3ServiceAttribute.DecodeFromBytes function, which incorrectly advances a loop variable when processing unknown sub-TLV types, causing the parser to never exit the loop and exhaust system resources. Vendor-released patch available in version 4.4.0.
Technical ContextAI
GoBGP is a BGP (Border Gateway Protocol) implementation written in Go used for routing. The vulnerability resides in the SRv6 (Segment Routing IPv6) L3 Service attribute parsing logic within pkg/packet/bgp/prefix_sid.go. The root cause is an off-by-one variable reference bug (CWE-404: Improper Resource Validation) in the DecodeFromBytes method. When parsing sub-TLVs (Type-Length-Value structures) of unknown types, the code incorrectly checks the length of the outer 'data' buffer instead of the 'stlvs' sub-buffer, and advances the wrong variable in the loop. This causes the loop condition to never become false when encountering unknown sub-TLV types (e.g., type 0xff), resulting in an infinite loop that consumes CPU and memory until the process terminates or the system becomes unresponsive. The same bug exists in the SRv6ServiceTLV.DecodeFromBytes function in the same file. The vulnerability is triggered when a BGP speaker receives and processes a specially crafted BGP UPDATE message containing malformed SRv6 attributes.
RemediationAI
Upgrade osrg GoBGP to version 4.4.0 or later immediately. The vendor-released patched version is available at https://github.com/osrg/gobgp/releases/tag/v4.4.0. The fix (commit f9f7b55ec258e514be0264871fa645a2c3edad11) corrects the variable reference in the SRv6L3ServiceAttribute.DecodeFromBytes and SRv6ServiceTLV.DecodeFromBytes functions by replacing incorrect checks and assignments of 'data' with the correct 'stlvs' variable. If immediate upgrade is not possible, operators should restrict BGP peering to trusted sources only by implementing strict ingress filtering and BGP session access control lists on border routers. This limits exposure but does not eliminate the vulnerability if any trusted peer is compromised. Monitor GoBGP process CPU and memory usage for signs of exploitation (sudden spikes under normal traffic). Consider deploying GoBGP in a container or VM with resource limits to constrain the impact of a DoS exploit to that single instance.
Same weakness CWE-404 – Improper Resource Shutdown or Release
View allSame technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26914