Description
A security flaw has been discovered in osrg GoBGP up to 4.3.0. This affects the function DecodeFromBytes of the file pkg/packet/bgp/bgp.go of the component BGP OPEN Message Handler. Performing a manipulation of the argument domainNameLen results in improper access controls. The attack may be initiated remotely. A high degree of complexity is needed for the attack. The exploitability is reported as difficult. The patch is named 2b09db390a3d455808363c53e409afe6b1b86d2d. It is suggested to install a patch to address this issue.
Published: 2026-03-30
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access to BGP Configuration
Action: Patch Immediately
AI Analysis

Impact

A flaw exists in the GoBGP BGP OPEN message decoder that occurs when the domainNameLen argument is manipulated. This flaw leads to improper access controls, which can allow an attacker to bypass protections that normally restrict who may establish BGP sessions or modify configuration data. Based on the description, it is inferred that an attacker could potentially create or alter privileged BGP configuration and routing information, thereby degrading the integrity and reliability of the routing infrastructure. The weakness is classified as an access control failure (CWE-266) and a general authorization flaw (CWE-284).

Affected Systems

The vulnerability affects the GoBGP networking daemon released by osrg. Specifically, all releases up to and including version 4.3.0 are impacted. Users who have not applied the patch associated with commit 2b09db390a3d455808363c53e409afe6b1b86d2d, or who are running GoBGP 4.3.0 or earlier, are susceptible to the described flaw. Updating to a version published after the patch, or applying the patch directly, resolves the issue.

Risk and Exploitability

The CVSS score of 6.3 rates this issue as medium severity, and the EPSS score of less than 1% indicates a low probability of widespread exploitation. The flaw is not listed in CISA’s KEV catalog, suggesting no current widespread exploitation detection. The likely attack vector is remote, leveraging the BGP OPEN message that is normally exchanged between peers. Attack requirements include high complexity and a difficult exploitation process, meaning that only advanced threat actors with detailed knowledge of BGP behavior are likely to succeed. Nonetheless, because the vulnerability can affect routing integrity and confidentiality, timely mitigation is essential.

Generated by OpenCVE AI on April 8, 2026 at 18:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch (commit 2b09db390a3d455808363c53e409afe6b1b86d2d) or upgrade to a GoBGP release newer than 4.3.0 that incorporates the fix.
  • Configure BGP to accept OPEN messages only from trusted peers and enforce strict authentication.
  • Use network firewalls or ACLs to restrict inbound BGP traffic to known BGP peers only.
  • Monitor BGP logs for anomalous OPEN messages, particularly those containing unusual domainNameLen values.

Generated by OpenCVE AI on April 8, 2026 at 18:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:osrg:gobgp:*:*:*:*:*:*:*:*

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Osrg
Osrg gobgp
Vendors & Products Osrg
Osrg gobgp

Mon, 30 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in osrg GoBGP up to 4.3.0. This affects the function DecodeFromBytes of the file pkg/packet/bgp/bgp.go of the component BGP OPEN Message Handler. Performing a manipulation of the argument domainNameLen results in improper access controls. The attack may be initiated remotely. A high degree of complexity is needed for the attack. The exploitability is reported as difficult. The patch is named 2b09db390a3d455808363c53e409afe6b1b86d2d. It is suggested to install a patch to address this issue.
Title osrg GoBGP BGP OPEN Message bgp.go DecodeFromBytes access control
Weaknesses CWE-266
CWE-284
References
Metrics cvssV2_0

{'score': 2.6, 'vector': 'AV:N/AC:H/Au:N/C:N/I:P/A:N/E:ND/RL:OF/RC:C'}

cvssV3_0

{'score': 3.7, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:X/RL:O/RC:C'}

cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:X/RL:O/RC:C'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X'}

Subscriptions

Osrg Gobgp
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-30T16:38:44.520Z

Reserved: 2026-03-30T07:46:42.677Z

Link: CVE-2026-5122

cve-icon Vulnrichment

Updated: 2026-03-30T16:38:35.561Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-30T15:16:35.947

Modified: 2026-04-08T16:07:36.650

Link: CVE-2026-5122

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:00:36Z

Weaknesses