CVE-2026-37462 - Vulnerability Details

- GobGP BGP UPDATE Integer Underflow Causes Denial of Service

Description

An integer underflow in the BGPUpdate.DecodeFromBytes function (/bgp/bgp.go) of gobgp v4.3.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP UPDATE message.

Published: 2026-06-03

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An integer underflow occurs in the BGPUpdate.DecodeFromBytes function of gobgp v4.3.0 when parsing a BGP UPDATE message. The underflow causes a failure in processing the packet, which leads to a crash or unresponsiveness of the gobgp daemon, resulting in a denial of service that can disrupt BGP routing functionality.

Affected Systems

This vulnerability affects any deployment running gobgp version 4.3.0 that processes BGP UPDATE messages. Users should verify whether this exact version is used in their environment and whether the instance participates in BGP sessions. Newer releases are not known to be affected.

Risk and Exploitability

The EPSS score is <1% and the vulnerability is not listed in the CISA KEV catalog, indicating no publicly known exploits at the time of this analysis. The likely attack vector is an attacker who can send a crafted BGP UPDATE message to the gobgp instance, such as through a faulty BGP peer or a compromised session. The integer underflow condition is present in the decoding path and can be triggered by malformed input, making exploitation straightforward for a determined attacker. The CVSS score of 7.5 indicates a high‑severity vulnerability, and the impact of a DoS on BGP routing is significant.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

No data.

Vendor Product Confidence Versions

Osrg

Gobgp

95%

Version	Status	Scheme	Platform
`4.3.0`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to a patched version of gobgp that addresses the integer underflow
If an upgrade is not immediately possible, block or filter malicious BGP UPDATE messages at the network edge using firewall rules or BGP session checks
Monitor BGP sessions for abnormal traffic patterns and implement rate limiting to mitigate repeated crash attempts

Generated by OpenCVE AI on June 4, 2026 at 17:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00279.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/osrg/gobgp/blob/v4.3.0/pkg/packet/bgp/bgp.go
https://github.com/osrg/gobgp/commit/9ce8936672ebc07df524da77fa4c6ae26d92be6d

History

Thu, 04 Jun 2026 17:45:00 +0000

Type	Values Removed	Values Added
Title		GobGP BGP UPDATE Integer Underflow Causes Denial of Service

Thu, 04 Jun 2026 16:15:00 +0000

Type	Values Removed	Values Added
Title	Integer Underflow in BGP Update Decoding Causes DoS in gobgp
Weaknesses	CWE-189

Thu, 04 Jun 2026 14:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-190
Metrics	cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}`	cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Wed, 03 Jun 2026 22:45:00 +0000

Type	Values Removed	Values Added
Title		Integer Underflow in BGP Update Decoding Causes DoS in gobgp
Weaknesses		CWE-189

Wed, 03 Jun 2026 21:30:00 +0000

Type	Values Removed	Values Added
Title	Integer Underflow in Gobgp BGP Update Decoding Enables DoS
Weaknesses	CWE-189

Wed, 03 Jun 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 03 Jun 2026 18:15:00 +0000

Type	Values Removed	Values Added
Title		Integer Underflow in Gobgp BGP Update Decoding Enables DoS
Weaknesses		CWE-189

Wed, 03 Jun 2026 17:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Osrg Osrg gobgp
Vendors & Products		Osrg Osrg gobgp

Wed, 03 Jun 2026 16:00:00 +0000

Type	Values Removed	Values Added
Description		An integer underflow in the BGPUpdate.DecodeFromBytes function (/bgp/bgp.go) of gobgp v4.3.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP UPDATE message.
References		https://github.com/osrg/gobgp/blob/v4.3.0/pkg/packet/bgp/bgp.go https://github.com/osrg/gobgp/commit/9ce8936672ebc07df524da77fa4c6ae26d92be6d

Subscriptions

Osrg Gobgp

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-06-03T00:00:00.000Z

Updated: 2026-06-04T13:22:37.184Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-37462

Vulnrichment

Updated: 2026-06-03T18:12:55.552Z

NVD

Status : Deferred

Published: 2026-06-03T16:16:29.120

Modified: 2026-06-04T16:28:59.003

Link: CVE-2026-37462

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-04T17:30:16Z

Weaknesses

CWE-190
Integer Overflow or Wraparound

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object