Skip to main content

osrg GoBGP CVE-2026-7737

| EUVDEUVD-2026-26917 MEDIUM
Out-of-bounds Read (CWE-125)
2026-05-04 VulDB
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
HIGH
qualitative
Red Hat
7.5 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Source Code Evidence Fetched
May 04, 2026 - 07:30 vuln.today
Analysis Generated
May 04, 2026 - 07:30 vuln.today
CVSS changed
May 04, 2026 - 07:22 NVD
5.3 (MEDIUM) 6.9 (MEDIUM)
EUVD ID Assigned
May 04, 2026 - 07:00 euvd
EUVD-2026-26917
Analysis Generated
May 04, 2026 - 07:00 vuln.today
Patch released
May 04, 2026 - 07:00 nvd
Patch available
CVE Published
May 04, 2026 - 05:45 nvd
MEDIUM 6.9

DescriptionCVE.org

A vulnerability was identified in osrg GoBGP up to 4.3.0. Affected by this issue is the function BMPPeerUpNotification.ParseBody/BMPStatisticsReport.ParseBody of the file pkg/packet/bmp/bmp.go of the component BMP Parser. The manipulation leads to out-of-bounds read. The attack can be initiated remotely. Upgrading to version 4.4.0 can resolve this issue. The identifier of the patch is bc77597d42335c78464bc8e15a471d887bbdf260. Upgrading the affected component is recommended.

AnalysisAI

Out-of-bounds read in GoBGP BMP parser allows remote attackers to trigger information disclosure via malformed BMP messages to the BMPPeerUpNotification.ParseBody and BMPStatisticsReport.ParseBody functions. Affected versions are up to 4.3.0; patch available in version 4.4.0. CVSS 6.9 reflects availability impact. No public exploit code or active exploitation has been identified.

Technical ContextAI

GoBGP is an open-source BGP implementation written in Go. The BMP (BGP Monitoring Protocol) parser in pkg/packet/bmp/bmp.go processes monitoring messages from BGP speakers. The vulnerability exists in two parsing functions that fail to validate minimum buffer lengths before reading fixed-size fields. BMPPeerUpNotification expects at least 20 bytes and BMPStatisticsReport expects at least 4 bytes; attackers sending crafted BMP messages with truncated payloads trigger out-of-bounds reads that expose adjacent memory. This is a classic bounds-checking failure (CWE-125) in protocol parsing code exposed over the network via AV:N.

RemediationAI

Upgrade GoBGP to version 4.4.0 or later, which includes explicit length validation checks before buffer reads in BMPPeerUpNotification.ParseBody and BMPStatisticsReport.ParseBody. The patch (commit bc77597d42335c78464bc8e15a471d887bbdf260, available at https://github.com/osrg/gobgp/releases/tag/v4.4.0) adds minimum length assertions (20 bytes for peer up notifications, 4 bytes for statistics reports) and returns formatted errors when messages are truncated. As interim mitigation, implement network-level filtering to restrict BMP connections to trusted BGP speakers only and monitor GoBGP logs for truncation errors. If upgrading is not immediately feasible, disable BMP monitoring until patched, though this eliminates monitoring visibility.

Vendor StatusVendor

SUSE

Severity: Important

Share

CVE-2026-7737 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy