Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
8DescriptionCVE.org
An integer underflow in the BGPUpdate.DecodeFromBytes function (/bgp/bgp.go) of gobgp v4.3.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP UPDATE message.
AnalysisAI
Denial of service in GoBGP v4.3.0 allows unauthenticated remote attackers to crash or hang BGP speakers by sending a malformed BGP UPDATE message that triggers an integer underflow in the BGPUpdate.DecodeFromBytes parser. The underflow causes uint16 length counters (routelen and pathlen) to wrap to ~65k, leading the parser to silently consume the buffer or fail in ways that disrupt session processing. EPSS is very low (0.04%) and there is no public exploit identified at time of analysis, but the upstream commit demonstrating the bug is publicly visible.
Technical ContextAI
GoBGP is an open-source BGP (Border Gateway Protocol) implementation written in Go, widely used as a routing daemon and library in network automation, SDN, and route-server deployments. The flaw is a CWE-190 integer overflow/underflow in /pkg/packet/bgp/bgp.go: when decoding a BGP UPDATE, the parser subtracts the length of a withdrawn route or path attribute from a uint16 counter without first validating that the subtrahend does not exceed the remaining counter, so a crafted UPDATE whose announced WithdrawnRoutesLen or TotalPathAttributeLen is smaller than the actual encoded element causes the counter to wrap from a small value to ~65533/65535. The committed fix (9ce8936) adds explicit boundary checks that return a BGP MessageError before the subtraction occurs.
RemediationAI
Upstream fix available (commit 9ce8936672ebc07df524da77fa4c6ae26d92be6d on osrg/gobgp); a released patched version is not independently confirmed from the provided data, so operators should upgrade to the first tagged GoBGP release that includes this commit after v4.3.0, or apply the patch directly to vendored copies of pkg/packet/bgp/bgp.go. As compensating controls until upgrade, restrict BGP TCP/179 to known peer IPs at the host or perimeter firewall, enforce TCP-MD5 or TCP-AO authentication on all BGP sessions so only trusted neighbors can deliver UPDATE messages, and where supported deploy GTSM (RFC 5082) for eBGP sessions; these reduce exposure to malicious or spoofed peers but do not protect against a legitimate peer that is itself compromised. Operators should also monitor gobgpd for unexpected session resets and consider rate-limiting session re-establishment to limit DoS amplification.
Same weakness CWE-190 – Integer Overflow or Wraparound
View allSame technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34101
GHSA-pw7p-7fqv-hpj8