Skip to main content

osrg GoBGP EUVDEUVD-2026-26914

| CVE-2026-7734 MEDIUM
Improper Resource Shutdown or Release (CWE-404)
2026-05-04 VulDB
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Source Code Evidence Fetched
May 04, 2026 - 06:30 vuln.today
Analysis Generated
May 04, 2026 - 06:30 vuln.today
CVSS changed
May 04, 2026 - 06:22 NVD
5.3 (MEDIUM) 6.9 (MEDIUM)
EUVD ID Assigned
May 04, 2026 - 06:00 euvd
EUVD-2026-26914
Analysis Generated
May 04, 2026 - 06:00 vuln.today
Patch released
May 04, 2026 - 06:00 nvd
Patch available
CVE Published
May 04, 2026 - 05:00 nvd
MEDIUM 6.9

DescriptionCVE.org

A vulnerability has been found in osrg GoBGP up to 4.3.0. This impacts the function SRv6L3ServiceAttribute.DecodeFromBytes of the file pkg/packet/bgp/prefix_sid.go of the component SRv6 L3 Service. Such manipulation of the argument data leads to denial of service. The attack may be performed from remote. Upgrading to version 4.4.0 will fix this issue. The name of the patch is f9f7b55ec258e514be0264871fa645a2c3edad11. You should upgrade the affected component.

AnalysisAI

Denial of service in osrg GoBGP up to version 4.3.0 allows remote attackers to trigger an infinite loop via malformed SRv6 L3 Service attributes in BGP packets. The vulnerability exists in the SRv6L3ServiceAttribute.DecodeFromBytes function, which incorrectly advances a loop variable when processing unknown sub-TLV types, causing the parser to never exit the loop and exhaust system resources. Vendor-released patch available in version 4.4.0.

Technical ContextAI

GoBGP is a BGP (Border Gateway Protocol) implementation written in Go used for routing. The vulnerability resides in the SRv6 (Segment Routing IPv6) L3 Service attribute parsing logic within pkg/packet/bgp/prefix_sid.go. The root cause is an off-by-one variable reference bug (CWE-404: Improper Resource Validation) in the DecodeFromBytes method. When parsing sub-TLVs (Type-Length-Value structures) of unknown types, the code incorrectly checks the length of the outer 'data' buffer instead of the 'stlvs' sub-buffer, and advances the wrong variable in the loop. This causes the loop condition to never become false when encountering unknown sub-TLV types (e.g., type 0xff), resulting in an infinite loop that consumes CPU and memory until the process terminates or the system becomes unresponsive. The same bug exists in the SRv6ServiceTLV.DecodeFromBytes function in the same file. The vulnerability is triggered when a BGP speaker receives and processes a specially crafted BGP UPDATE message containing malformed SRv6 attributes.

RemediationAI

Upgrade osrg GoBGP to version 4.4.0 or later immediately. The vendor-released patched version is available at https://github.com/osrg/gobgp/releases/tag/v4.4.0. The fix (commit f9f7b55ec258e514be0264871fa645a2c3edad11) corrects the variable reference in the SRv6L3ServiceAttribute.DecodeFromBytes and SRv6ServiceTLV.DecodeFromBytes functions by replacing incorrect checks and assignments of 'data' with the correct 'stlvs' variable. If immediate upgrade is not possible, operators should restrict BGP peering to trusted sources only by implementing strict ingress filtering and BGP session access control lists on border routers. This limits exposure but does not eliminate the vulnerability if any trusted peer is compromised. Monitor GoBGP process CPU and memory usage for signs of exploitation (sudden spikes under normal traffic). Consider deploying GoBGP in a container or VM with resource limits to constrain the impact of a DoS exploit to that single instance.

Vendor StatusVendor

SUSE

Severity: Medium

Share

EUVD-2026-26914 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy