Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionCVE.org
A vulnerability was found in osrg GoBGP up to 4.3.0. Affected is the function PathAttributeAigp.DecodeFromBytes of the file pkg/packet/bgp/bgp.go of the component AIGP Attribute Parser. Performing a manipulation results in buffer overflow. It is possible to initiate the attack remotely. Upgrading to version 4.4.0 is able to address this issue. The patch is named 51ad1ada06cb41ce47b7066799981816f50b7ced. The affected component should be upgraded.
AnalysisAI
Buffer overflow in GoBGP's AIGP Attribute Parser allows remote unauthenticated attackers to manipulate the PathAttributeAigp.DecodeFromBytes function via malformed BGP UPDATE messages, potentially causing memory corruption. Versions up to 4.3.0 are affected. GoBGP 4.4.0 includes a vendor-released patch that adds proper bounds checking and validation of TLV length fields.
Technical ContextAI
GoBGP is a BGP (Border Gateway Protocol) implementation in Go. The vulnerability exists in the AIGP (Accumulated IGP Metric) Attribute Parser component, specifically in the PathAttributeAigp.DecodeFromBytes function located in pkg/packet/bgp/bgp.go. AIGP is a BGP path attribute used to carry accumulated IGP metric values. The root cause is a CWE-120 classic buffer overflow: the parser did not validate that TLV (Type-Length-Value) fields contained enough data before reading from the byte buffer. The fix adds explicit bounds checking and error returns when TLV length claims exceed remaining data, preventing out-of-bounds reads during BGP UPDATE message parsing.
RemediationAI
Upgrade GoBGP to version 4.4.0 or later, which includes the patch commit 51ad1ada06cb41ce47b7066799981816f50b7ced. This patch adds proper validation of AIGP TLV length fields and returns a malformed attribute error when TLV length exceeds remaining buffer data. If immediate patching is not feasible, restrict BGP sessions to trusted peers only (filter untrusted BGP speakers at the network perimeter) or disable AIGP attribute acceptance if not required for your deployment; this reduces attack surface but may impact route metric calculations if AIGP is operationally necessary. Refer to the official GoBGP repository (https://github.com/osrg/gobgp/) and release notes for version 4.4.0 (https://github.com/osrg/gobgp/releases/tag/v4.4.0) for patching instructions.
An issue was discovered in GoBGP before 3.35.0. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitab
An issue was discovered in GoBGP before 3.35.0. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploit
An issue was discovered in GoBGP before 3.35.0. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploit
Denial of service in osrg GoBGP up to version 4.3.0 via off-by-one error in the DecodeFromBytes function allows remote,
Improper access controls in osrg GoBGP up to version 4.3.0 allow remote attackers to bypass authentication via manipulat
Improper access control in osrg GoBGP up to 4.3.0 allows remote attackers to manipulate the domainNameLen parameter in B
An issue was discovered in GoBGP before 3.35.0. Rated medium severity (CVSS 4.3), this vulnerability is no authenticatio
Same weakness CWE-120 – Classic Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26915