Description
An out-of-bounds read in the ParseIP6Extended function (/bgp/bgp.go) of gobgp v4.3.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP UPDATE message.
Published: 2026-05-04
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An out‑of‑bounds read occurs in the ParseIP6Extended function of gobgp version 4.3.0. This flaw allows a malicious actor to trigger a crash by sending a specially crafted BGP UPDATE message. The primary impact is a loss of availability for the affected BGP process, potentially causing routing instability or outages in connected networks. The weakness is classified as an out‑of‑bounds read, corresponding to CWE‑125.

Affected Systems

Any deployment of the gobgp BGP implementation running version 4.3.0 is susceptible. The vulnerability was identified in the GitHub repository and linked commits that modify the ParseIP6Extended routine. Users of older or patched versions are not impacted.

Risk and Exploitability

The vulnerability is exploitable over the network by an attacker who can send BGP UPDATE messages to the gobgp instance. Because it causes a crash rather than privileged code execution, the risk is limited to service disruption. No publicly known exploits exist at the time of this analysis, and the EPSS score is <1%, indicating a low but non‑zero exploitation probability. The CVSS score is 7.5, underscoring a moderate‑high impact risk.

Generated by OpenCVE AI on May 5, 2026 at 17:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade gobgp to the latest release that includes the fix for the out‑of‑bounds read.
  • If an upgrade cannot be performed immediately, restrict inbound BGP UPDATE traffic to trusted peering partners only.
  • Implement a health‑check or watchdog to automatically restart the gobgp service if it crashes.

Generated by OpenCVE AI on May 5, 2026 at 17:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wmvj-f67g-qg4g GoBGP has an out-of-bounds read in the ParseIP6Extended function
History

Mon, 11 May 2026 20:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:osrg:gobgp:4.3.0:*:*:*:*:*:*:*

Tue, 05 May 2026 18:00:00 +0000

Type Values Removed Values Added
Title Out‑of‑Bounds Read in gobgp Leading to DoS

Tue, 05 May 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 04 May 2026 17:45:00 +0000

Type Values Removed Values Added
Title Out‑of‑Bounds Read in gobgp Leading to DoS
First Time appeared Osrg
Osrg gobgp
Weaknesses CWE-125
Vendors & Products Osrg
Osrg gobgp

Mon, 04 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description An out-of-bounds read in the ParseIP6Extended function (/bgp/bgp.go) of gobgp v4.3.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP UPDATE message.
References

Subscriptions

Osrg Gobgp
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-05T16:03:08.662Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-37461

cve-icon Vulnrichment

Updated: 2026-05-05T15:29:15.210Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-04T17:16:23.230

Modified: 2026-05-11T19:58:37.527

Link: CVE-2026-37461

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T17:45:06Z

Weaknesses