Description
A weakness has been identified in osrg GoBGP up to 4.3.0. This impacts the function DecodeFromBytes of the file pkg/packet/bgp/bgp.go. Executing a manipulation of the argument data[1] can lead to off-by-one. The attack may be launched remotely. Attacks of this nature are highly complex. The exploitability is said to be difficult. This patch is called 67c059413470df64bc20801c46f64058e88f800f. A patch should be applied to remediate this issue.
Published: 2026-03-30
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote BGP packet parsing error
Action: Apply Patch
AI Analysis

Impact

The flaw lies in the GoBGP routing daemon’s DecodeFromBytes function, where manipulating the second byte of a BGP message can cause an off‑by‑one error during packet parsing. This mistake may lead to malformed packet handling and potentially disrupt routing logic, but no evidence of memory corruption or arbitrary code execution is provided.

Affected Systems

The vulnerability affects the osrg GoBGP project, specifically versions up to and including 4.3.0. The affected component is the DecodeFromBytes routine located in pkg/packet/bgp/bgp.go.

Risk and Exploitability

The CVSS score of 6.3 denotes moderate severity. The EPSS score is below 1 %, indicating a low probability of exploitation, and the flaw is not listed in the CISA KEV catalog. The attack vector is remote, requiring a crafted BGP packet from an external peer; however, the nature of the exploit is complex and the vulnerability is described as difficult to exploit in practice.

Generated by OpenCVE AI on April 6, 2026 at 20:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch referenced by commit 67c059413470df64bc20801c46f64058e88f800f to upgrade GoBGP to a fixed version (4.3.1 or later).
  • If an immediate update is not feasible, restrict inbound BGP connections to trusted peers and apply network segmentation to reduce exposure to malicious traffic.

Generated by OpenCVE AI on April 6, 2026 at 20:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:osrg:gobgp:*:*:*:*:*:*:*:*

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Osrg
Osrg gobgp
Vendors & Products Osrg
Osrg gobgp

Mon, 30 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in osrg GoBGP up to 4.3.0. This impacts the function DecodeFromBytes of the file pkg/packet/bgp/bgp.go. Executing a manipulation of the argument data[1] can lead to off-by-one. The attack may be launched remotely. Attacks of this nature are highly complex. The exploitability is said to be difficult. This patch is called 67c059413470df64bc20801c46f64058e88f800f. A patch should be applied to remediate this issue.
Title osrg GoBGP bgp.go DecodeFromBytes off-by-one
Weaknesses CWE-189
CWE-193
References
Metrics cvssV2_0

{'score': 2.6, 'vector': 'AV:N/AC:H/Au:N/C:N/I:N/A:P/E:ND/RL:OF/RC:C'}

cvssV3_0

{'score': 3.7, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C'}

cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X'}

Subscriptions

Osrg Gobgp
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-01T18:10:27.344Z

Reserved: 2026-03-30T07:50:35.204Z

Link: CVE-2026-5123

cve-icon Vulnrichment

Updated: 2026-04-01T18:10:17.883Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-30T16:16:10.123

Modified: 2026-04-06T15:46:13.087

Link: CVE-2026-5123

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T08:08:38Z

Weaknesses