Description
An issue in GoBGP gobgpd v.4.2.0 allows a remote attacker to cause a denial of service via the NEXT_HOP path attribute
Published: 2026-03-16
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

This vulnerability allows a remote attacker to cause a denial of service in the GoBGP gobgpd daemon by sending a BGP update that contains a malicious NEXT_HOP path attribute. The flaw stems from improper handling of this attribute, which can lead to resource exhaustion or a crash when the attribute is processed. The impact is loss of BGP routing service for the affected router, potentially disrupting network connectivity and availability for any networks that rely on it. The weakness is identified as CWE-400, Denial of Service.

Affected Systems

The affected product is the GoBGP gobgpd daemon, version 4.2.0. No other vendors or products are listed in the data. The vendor is not specified.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, while the EPSS score of less than 1% and the absence from the CISA KEV catalog suggest a low likelihood of widespread exploitation at present. The attack vector is inferred to be remote, requiring an attacker to be able to send a crafted BGP update to the target router. No additional prerequisite conditions are stated in the description, so the risk assessment relies on the provided severity metrics and the inferred remote nature of the exploit.

Generated by OpenCVE AI on March 17, 2026 at 17:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the GoBGP gobgpd daemon to a version that addresses the NEXT_HOP handling flaw; check the official GoBGP repository or release notes for the patch.
  • Monitor the GoBGP community and GitHub repository for new releases or security advisories that may contain a fix.
  • Implement BGP session authentication and enforce strict access controls to limit untrusted peers from sending update messages that could trigger the vulnerability.

Generated by OpenCVE AI on March 17, 2026 at 17:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4p9m-8gc4-rw2h GoBGP vulnerable to a denial of service via the NEXT_HOP path attribute
References
Link Providers
https://github.com/osrg/gobgp/issues/3305 cve-icon cve-icon
History

Tue, 07 Apr 2026 07:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:osrg:gobgp:4.2.0:*:*:*:*:*:*:*

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Title GoBGP 4.2.0 Remote Denial of Service via NEXT_HOP Path Attribute

Tue, 17 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 17 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Osrg
Osrg gobgp
Vendors & Products Osrg
Osrg gobgp

Mon, 16 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
Description An issue in GoBGP gobgpd v.4.2.0 allows a remote attacker to cause a denial of service via the NEXT_HOP path attribute
References

Subscriptions

Osrg Gobgp
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-17T15:24:03.136Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30405

cve-icon Vulnrichment

Updated: 2026-03-17T15:23:59.148Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T17:16:29.790

Modified: 2026-04-07T01:04:23.733

Link: CVE-2026-30405

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T14:00:52Z

Weaknesses