Description
An Argument Injection vulnerability exists in bird-lg-go before commit 6187a4e. The traceroute module uses shlex.Split to parse user input without validation, allowing remote attackers to inject arbitrary flags (e.g., -w, -q) via the q parameter. This can be exploited to cause a Denial of Service (DoS) by exhausting system resources.
Published: 2026-03-04
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via Argument Injection
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an Argument Injection flaw that exists in the traceroute module of bird‑lg‑go before a specific commit. The implementation uses shlex.Split without validating user input, enabling a remote attacker to embed arbitrary command flags such as -w or -q through the q parameter. This injection can lead to excessive consumption of system resources, resulting in a denial of service.

Affected Systems

xddxdd:bird-lg-go is affected. The vulnerability applies to any instance of the project prior to the commit that introduces the input validation fix. Users should verify the commit hash of their installed version.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity, while the EPSS score of less than 1% suggests low but nonzero exploit probability. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit it remotely by sending a specially crafted request to the traceroute module, injecting flags that deplete system resources and trigger a service crash. The required components are the vulnerable software and network connectivity to the traceroute interface.

Generated by OpenCVE AI on April 16, 2026 at 13:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade bird‑lg‑go to a version built after commit 6187a4e which adds input validation to the traceroute module.
  • For environments where immediate upgrade is not feasible, block or validate the q parameter to allow only whitelisted flags before the split operation.
  • Configure resource limits for the traceroute process—such as CPU or memory quotas, timeouts, and connection caps—to mitigate potential exhaustion.
  • Deploy monitoring to detect abnormal traceroute request patterns and alert on excessive resource usage.

Generated by OpenCVE AI on April 16, 2026 at 13:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Title Argument Injection in Traceroute Module Allows Denial of Service

Thu, 05 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:xddxdd:bird-lg-go:*:*:*:*:*:go:*:*

Thu, 05 Mar 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Xddxdd
Xddxdd bird-lg-go
Vendors & Products Xddxdd
Xddxdd bird-lg-go

Wed, 04 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-88
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Description An Argument Injection vulnerability exists in bird-lg-go before commit 6187a4e. The traceroute module uses shlex.Split to parse user input without validation, allowing remote attackers to inject arbitrary flags (e.g., -w, -q) via the q parameter. This can be exploited to cause a Denial of Service (DoS) by exhausting system resources.
References

Subscriptions

Xddxdd Bird-lg-go
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-04T15:39:12.164Z

Reserved: 2026-02-16T00:00:00.000Z

Link: CVE-2026-26514

cve-icon Vulnrichment

Updated: 2026-03-04T15:36:54.868Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-04T16:16:27.713

Modified: 2026-03-05T18:07:05.847

Link: CVE-2026-26514

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T14:00:19Z

Weaknesses