CVE-2026-41642 - Vulnerability Details

- GoBGP: Remote Denial of Service (Panic) via Malformed Well-known Path Attribute

Description

GoBGP is an open source Border Gateway Protocol (BGP) implementation in the Go Programming Language. In version 4.3.0, a remote Denial of Service (DoS) vulnerability exists in GoBGP due to a nil pointer dereference. When a malformed BGP UPDATE message contains an unrecognized Path Attribute marked as "Well-known," the daemon fails to interrupt the message handling flow. This results in an illegal memory access and a full process crash (panic). This issue has been patched in version 4.4.0.

Published: 2026-05-07

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A nil pointer dereference in GoBGP version 4.3.0 causes the daemon to panic when it receives a malformed BGP UPDATE message that contains an unrecognized well‑known Path Attribute. The crash terminates the BGP process, creating a denial of service that affects routing stability and availability for any networks relying on the affected instance.

Affected Systems

The flaw impacts the osrg:gobgp Border Gateway Protocol implementation. Any installation running GoBGP prior to the patched release of version 4.4.0 is vulnerable. The fix is delivered in the 4.4.0 release and in all later updates.

Risk and Exploitability

The CVSS score of 7.5 reflects a high‑severity flaw. EPSS is not available, so the likelihood of exploitation cannot be quantified. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is remote—an adversary can test the vulnerable path by sending crafted BGP UPDATE messages over the network, and full exploitation does not require local privileges.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

osrg

gobgp

affected

Version	Status	Constraints
`= 4.3.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:osrg:gobgp:4.3.0:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Osrg

Gobgp

100%

Version	Status	Scheme	Platform
`4.3.0`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the GoBGP 4.4.0 release or later to eliminate the nil pointer bug.
Restart the BGP daemon to ensure the updated binary is loaded after the upgrade.
If untrusted peers are present, restrict or filter BGP UPDATE traffic from external sources until the patch is deployed, reducing the chance of accidental or malicious malformed messages triggering the crash.

Generated by OpenCVE AI on May 7, 2026 at 14:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-7235-89m6-f4px	GoBGP has Remote Denial of Service (Panic) via Malformed Well-known Path Attribute

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00055.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/osrg/gobgp/releases/tag/v4.4.0
https://github.com/osrg/gobgp/security/advisories/GHSA-7235-89m6-f4px

History

Thu, 07 May 2026 20:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:osrg:gobgp:4.3.0:::::::*

Thu, 07 May 2026 16:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Osrg Osrg gobgp
Vendors & Products		Osrg Osrg gobgp

Thu, 07 May 2026 13:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 07 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Description		GoBGP is an open source Border Gateway Protocol (BGP) implementation in the Go Programming Language. In version 4.3.0, a remote Denial of Service (DoS) vulnerability exists in GoBGP due to a nil pointer dereference. When a malformed BGP UPDATE message contains an unrecognized Path Attribute marked as "Well-known," the daemon fails to interrupt the message handling flow. This results in an illegal memory access and a full process crash (panic). This issue has been patched in version 4.4.0.
Title		GoBGP: Remote Denial of Service (Panic) via Malformed Well-known Path Attribute
Weaknesses		CWE-476
References		https://github.com/osrg/gobgp/releases/tag/v4.4.0 https://github.com/osrg/gobgp/security/advisories/GHSA-7235-89m6-f4px
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Osrg Gobgp

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-07T11:50:41.545Z

Updated: 2026-05-07T12:34:38.588Z

Reserved: 2026-04-21T23:58:43.801Z

Link: CVE-2026-41642

Vulnrichment

Updated: 2026-05-07T12:32:47.501Z

NVD

Status : Analyzed

Published: 2026-05-07T12:16:17.460

Modified: 2026-05-07T19:46:05.597

Link: CVE-2026-41642

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-07T15:45:32Z

Weaknesses

CWE-476

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object