Skip to main content

osrg GoBGP CVE-2026-7735

| EUVDEUVD-2026-26915 MEDIUM
Classic Buffer Overflow (CWE-120)
2026-05-04 VulDB
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

8
Source Code Evidence Fetched
May 04, 2026 - 06:30 vuln.today
Analysis Generated
May 04, 2026 - 06:30 vuln.today
Severity Changed
May 04, 2026 - 06:22 NVD
HIGH MEDIUM
CVSS changed
May 04, 2026 - 06:22 NVD
7.3 (HIGH) 6.9 (MEDIUM)
EUVD ID Assigned
May 04, 2026 - 06:00 euvd
EUVD-2026-26915
Analysis Generated
May 04, 2026 - 06:00 vuln.today
Patch released
May 04, 2026 - 06:00 nvd
Patch available
CVE Published
May 04, 2026 - 05:15 nvd
MEDIUM 6.9

DescriptionCVE.org

A vulnerability was found in osrg GoBGP up to 4.3.0. Affected is the function PathAttributeAigp.DecodeFromBytes of the file pkg/packet/bgp/bgp.go of the component AIGP Attribute Parser. Performing a manipulation results in buffer overflow. It is possible to initiate the attack remotely. Upgrading to version 4.4.0 is able to address this issue. The patch is named 51ad1ada06cb41ce47b7066799981816f50b7ced. The affected component should be upgraded.

AnalysisAI

Buffer overflow in GoBGP's AIGP Attribute Parser allows remote unauthenticated attackers to manipulate the PathAttributeAigp.DecodeFromBytes function via malformed BGP UPDATE messages, potentially causing memory corruption. Versions up to 4.3.0 are affected. GoBGP 4.4.0 includes a vendor-released patch that adds proper bounds checking and validation of TLV length fields.

Technical ContextAI

GoBGP is a BGP (Border Gateway Protocol) implementation in Go. The vulnerability exists in the AIGP (Accumulated IGP Metric) Attribute Parser component, specifically in the PathAttributeAigp.DecodeFromBytes function located in pkg/packet/bgp/bgp.go. AIGP is a BGP path attribute used to carry accumulated IGP metric values. The root cause is a CWE-120 classic buffer overflow: the parser did not validate that TLV (Type-Length-Value) fields contained enough data before reading from the byte buffer. The fix adds explicit bounds checking and error returns when TLV length claims exceed remaining data, preventing out-of-bounds reads during BGP UPDATE message parsing.

RemediationAI

Upgrade GoBGP to version 4.4.0 or later, which includes the patch commit 51ad1ada06cb41ce47b7066799981816f50b7ced. This patch adds proper validation of AIGP TLV length fields and returns a malformed attribute error when TLV length exceeds remaining buffer data. If immediate patching is not feasible, restrict BGP sessions to trusted peers only (filter untrusted BGP speakers at the network perimeter) or disable AIGP attribute acceptance if not required for your deployment; this reduces attack surface but may impact route metric calculations if AIGP is operationally necessary. Refer to the official GoBGP repository (https://github.com/osrg/gobgp/) and release notes for version 4.4.0 (https://github.com/osrg/gobgp/releases/tag/v4.4.0) for patching instructions.

Share

CVE-2026-7735 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy