CVE-2026-5122 - Vulnerability Details

Description

A security flaw has been discovered in osrg GoBGP up to 4.3.0. This affects the function DecodeFromBytes of the file pkg/packet/bgp/bgp.go of the component BGP OPEN Message Handler. Performing a manipulation of the argument domainNameLen results in improper access controls. The attack may be initiated remotely. A high degree of complexity is needed for the attack. The exploitability is reported as difficult. The patch is named 2b09db390a3d455808363c53e409afe6b1b86d2d. It is suggested to install a patch to address this issue.

Published: 2026-03-30

Score: 6.3 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

This vulnerability is caused by an improper access control check in the DecodeFromBytes function of GoBGP’s BGP OPEN message handler. The flaw arises when an attacker manipulates the domainNameLen field, allowing bypass of privilege restrictions and potentially granting unauthorized access to sensitive BGP functions or data. The weakness aligns with CWE-266 and CWE-284, representing an improper restriction of excessive privileges and general improper access control, respectively. The nature of the exploit is remote, requiring a high degree of technical skill and making exploitation difficult, but the impact could allow an attacker to compromise BGP sessions or obtain privileged information.

Affected Systems

The affected product is osrg GoBGP version 4.3.0 and earlier. Any deployment of GoBGP that has not been upgraded past this release is vulnerable, regardless of environment.

Risk and Exploitability

The CVSS score of 6.3 reflects moderate severity, while the EPSS score is not available. This vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Attackers would need to send a crafted BGP OPEN message remotely with a manipulated domainNameLen value; the high exploitation complexity and difficulty reduce the immediate threat, yet the possibly high impact warrants prompt attention.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

osrg

GoBGP

affected

Version	Status	Constraints
`4.0`	affected	—
`4.1`	affected	—
`4.2`	affected	—
`4.3.0`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the official patch from the reference commit to update GoBGP to a version that includes the fix
If an immediate upgrade is not feasible, isolate BGP interfaces and restrict unauthorized BGP OPEN messages
Monitor BGP traffic for abnormal OPEN messages and log suspicious activity for forensic analysis

Generated by OpenCVE AI on March 30, 2026 at 16:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity High

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/osrg/gobgp/
https://github.com/osrg/gobgp/commit/2b09db390a3d455808363c53e409afe6b1b86d2d
https://github.com/osrg/gobgp/pull/3343
https://vuldb.com/submit/780124
https://vuldb.com/vuln/354154
https://vuldb.com/vuln/354154/cti

History

Mon, 30 Mar 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 30 Mar 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description		A security flaw has been discovered in osrg GoBGP up to 4.3.0. This affects the function DecodeFromBytes of the file pkg/packet/bgp/bgp.go of the component BGP OPEN Message Handler. Performing a manipulation of the argument domainNameLen results in improper access controls. The attack may be initiated remotely. A high degree of complexity is needed for the attack. The exploitability is reported as difficult. The patch is named 2b09db390a3d455808363c53e409afe6b1b86d2d. It is suggested to install a patch to address this issue.
Title		osrg GoBGP BGP OPEN Message bgp.go DecodeFromBytes access control
Weaknesses		CWE-266 CWE-284
References		https://github.com/osrg/gobgp/ https://github.com/osrg/gobgp/commit/2b09db390a3d455808363c53e409afe6b1b86d2d https://github.com/osrg/gobgp/pull/3343 https://vuldb.com/submit/780124 https://vuldb.com/vuln/354154 https://vuldb.com/vuln/354154/cti
Metrics		cvssV2_0 `{'score': 2.6, 'vector': 'AV:N/AC:H/Au:N/C:N/I:P/A:N/E:ND/RL:OF/RC:C'}` cvssV3_0 `{'score': 3.7, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:X/RL:O/RC:C'}` cvssV3_1 `{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:X/RL:O/RC:C'}` cvssV4_0 `{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-03-30T14:15:14.485Z

Updated: 2026-03-30T16:38:44.520Z

Reserved: 2026-03-30T07:46:42.677Z

Link: CVE-2026-5122

Vulnrichment

Updated: 2026-03-30T16:38:35.561Z

NVD

Status : Received

Published: 2026-03-30T15:16:35.947

Modified: 2026-03-30T15:16:35.947

Link: CVE-2026-5122

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-30T20:55:40Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object