Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
A vulnerability was identified in osrg GoBGP up to 4.3.0. Affected by this issue is the function BMPPeerUpNotification.ParseBody/BMPStatisticsReport.ParseBody of the file pkg/packet/bmp/bmp.go of the component BMP Parser. The manipulation leads to out-of-bounds read. The attack can be initiated remotely. Upgrading to version 4.4.0 can resolve this issue. The identifier of the patch is bc77597d42335c78464bc8e15a471d887bbdf260. Upgrading the affected component is recommended.
AnalysisAI
Out-of-bounds read in GoBGP BMP parser allows remote attackers to trigger information disclosure via malformed BMP messages to the BMPPeerUpNotification.ParseBody and BMPStatisticsReport.ParseBody functions. Affected versions are up to 4.3.0; patch available in version 4.4.0. CVSS 6.9 reflects availability impact. No public exploit code or active exploitation has been identified.
Technical ContextAI
GoBGP is an open-source BGP implementation written in Go. The BMP (BGP Monitoring Protocol) parser in pkg/packet/bmp/bmp.go processes monitoring messages from BGP speakers. The vulnerability exists in two parsing functions that fail to validate minimum buffer lengths before reading fixed-size fields. BMPPeerUpNotification expects at least 20 bytes and BMPStatisticsReport expects at least 4 bytes; attackers sending crafted BMP messages with truncated payloads trigger out-of-bounds reads that expose adjacent memory. This is a classic bounds-checking failure (CWE-125) in protocol parsing code exposed over the network via AV:N.
RemediationAI
Upgrade GoBGP to version 4.4.0 or later, which includes explicit length validation checks before buffer reads in BMPPeerUpNotification.ParseBody and BMPStatisticsReport.ParseBody. The patch (commit bc77597d42335c78464bc8e15a471d887bbdf260, available at https://github.com/osrg/gobgp/releases/tag/v4.4.0) adds minimum length assertions (20 bytes for peer up notifications, 4 bytes for statistics reports) and returns formatted errors when messages are truncated. As interim mitigation, implement network-level filtering to restrict BMP connections to trusted BGP speakers only and monitor GoBGP logs for truncation errors. If upgrading is not immediately feasible, disable BMP monitoring until patched, though this eliminates monitoring visibility.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: ImportantShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26917