Description
An out-of-bounds read in the ParseIP6Extended function (/bgp/bgp.go) of gobgp v4.3.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP UPDATE message.
Published: 2026-05-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An out‑of‑bounds read occurs in the ParseIP6Extended function of gobgp version 4.3.0. This flaw allows a malicious actor to trigger a crash by sending a specially crafted BGP UPDATE message. The primary impact is a loss of availability for the affected BGP process, potentially causing routing instability or outages in connected networks. The weakness is classified as an out‑of‑bounds read, corresponding to CWE‑125.

Affected Systems

Any deployment of the gobgp BGP implementation running version 4.3.0 is susceptible. The vulnerability was identified in the GitHub repository and linked commits that modify the ParseIP6Extended routine. Users of older or patched versions are not impacted.

Risk and Exploitability

The vulnerability is exploitable over the network by an attacker who can send BGP UPDATE messages to the gobgp instance. Because it causes a crash rather than privileged code execution, the risk is limited to service disruption. No publicly known exploits exist at the time of this analysis, and the EPSS score is unavailable, indicating limited statistical data. The CVSS score is not supplied, but the potential for widespread BGP outages underscores a high impact risk.

Generated by OpenCVE AI on May 4, 2026 at 17:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade gobgp to the latest release that includes the fix for the out‑of‑bounds read.
  • If an upgrade cannot be performed immediately, restrict inbound BGP UPDATE traffic to trusted peering partners only.
  • Implement a health‑check or watchdog to automatically restart the gobgp service if it crashes.

Generated by OpenCVE AI on May 4, 2026 at 17:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 17:45:00 +0000

Type Values Removed Values Added
Title Out‑of‑Bounds Read in gobgp Leading to DoS
First Time appeared Osrg
Osrg gobgp
Weaknesses CWE-125
Vendors & Products Osrg
Osrg gobgp

Mon, 04 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description An out-of-bounds read in the ParseIP6Extended function (/bgp/bgp.go) of gobgp v4.3.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP UPDATE message.
References

Subscriptions

Osrg Gobgp
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-04T16:00:52.863Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-37461

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-04T17:16:23.230

Modified: 2026-05-04T17:16:23.230

Link: CVE-2026-37461

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T17:30:04Z

Weaknesses