Description
An issue in GoBGP gobgpd v.4.2.0 allows a remote attacker to cause a denial of service via the NEXT_HOP path attribute
Published: 2026-03-16
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

The vulnerability in GoBGP version 4.2.0 allows a remote attacker to cause a denial of service by manipulating the NEXT_HOP path attribute in BGP UPDATE messages. This flaw triggers resource exhaustion, disrupting normal routing operations and potentially rendering affected routers inoperative. The weakness is classified as a resource exhaustion vulnerability (CWE-400). The CVE description states the impact but does not explicitly describe the attack vector; it is inferred that the attacker would need to send a crafted BGP UPDATE containing a malformed NEXT_HOP attribute.

Affected Systems

Affected systems are instances of the OSRG GoBGP distribution running exactly version 4.2.0. Any machine that accepts external BGP updates from peers not fully trusted is susceptible; no other GoBGP versions are known to be impacted.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation in the near term. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. It is inferred that exploitation requires establishing a BGP session with the vulnerable daemon and sending a specifically crafted UPDATE message, which may be limited to environments that receive BGP traffic from untrusted sources. If exploited, the outage could affect network reachability for all routes processed by the affected instance.

Generated by OpenCVE AI on April 7, 2026 at 10:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest GoBGP release that resolves the NEXT_HOP attribute handling issue.
  • If an immediate upgrade is not possible, restrict or block incoming BGP UPDATE messages from untrusted peers until a patch is applied.
  • Continuously monitor BGP session logs and system resource usage for sudden spikes that may indicate a denial‑of‑service event.

Generated by OpenCVE AI on April 7, 2026 at 10:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4p9m-8gc4-rw2h GoBGP vulnerable to a denial of service via the NEXT_HOP path attribute
References
Link Providers
https://github.com/osrg/gobgp/issues/3305 cve-icon cve-icon
History

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Title GoBGP 4.2.0 Remote Denial of Service via NEXT_HOP Path Attribute

Tue, 07 Apr 2026 07:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:osrg:gobgp:4.2.0:*:*:*:*:*:*:*

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Title GoBGP 4.2.0 Remote Denial of Service via NEXT_HOP Path Attribute

Tue, 17 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 17 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Osrg
Osrg gobgp
Vendors & Products Osrg
Osrg gobgp

Mon, 16 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
Description An issue in GoBGP gobgpd v.4.2.0 allows a remote attacker to cause a denial of service via the NEXT_HOP path attribute
References

Subscriptions

Osrg Gobgp
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-17T15:24:03.136Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30405

cve-icon Vulnrichment

Updated: 2026-03-17T15:23:59.148Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T17:16:29.790

Modified: 2026-04-07T01:04:23.733

Link: CVE-2026-30405

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:02:32Z

Weaknesses