Description
A security vulnerability has been detected in osrg GoBGP up to 4.3.0. Affected is the function BGPHeader.DecodeFromBytes of the file pkg/packet/bgp/bgp.go of the component BGP Header Handler. The manipulation leads to improper access controls. Remote exploitation of the attack is possible. The attack is considered to have high complexity. The exploitability is told to be difficult. The identifier of the patch is f0f24a2a901cbf159260698211ab15c583ced131. To fix this issue, it is recommended to deploy a patch.
Published: 2026-03-30
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access
Action: Patch
AI Analysis

Impact

The vulnerability resides in the BGPHeader.DecodeFromBytes function within GoBGP’s packet handling module. The function fails to enforce proper access controls on BGP header data received from remote peers, allowing a malicious actor to manipulate the parsing logic. Because the BGP header dictates how routing updates are interpreted, this flaw can lead to unauthorized manipulation of routing information or potential disclosure of state. The description indicates remote exploitation is possible, though the attack requires high complexity and is considered difficult to execute.

Affected Systems

The flaw affects the GoBGP routing software produced by osrg, specifically any installation running version 4.3.0 or earlier. The affected component is the BGP Header Handler, which is part of the GoBGP core packet library. No further version granularity is listed in the CNA data beyond the 4.3.0 cutoff.

Risk and Exploitability

The CVSS score of 6.3 places the vulnerability in the moderate range, while the EPSS score of less than 1 % indicates a low probability of observed exploitation. The flaw is not currently listed in CISA’s KEV catalog, so it is not known to have been widely exploited in the wild. Attackers would need to establish a BGP session with a vulnerable GoBGP instance and craft a malicious header, making the exploitation path complex and demanding expertise in BGP protocol internals. In the absence of an active exploitation tool, the overall risk to deployed systems remains moderate but actionable.

Generated by OpenCVE AI on April 6, 2026 at 19:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the hot‑fix commit f0f24a2a901cbf159260698211ab15c583ced131 to the GoBGP codebase.
  • Upgrade your GoBGP deployment to a version newer than 4.3.0, which includes the patch.
  • Review and tighten BGP peering configurations to restrict the acceptance of routes from untrusted peers.

Generated by OpenCVE AI on April 6, 2026 at 19:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:osrg:gobgp:*:*:*:*:*:*:*:*

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Osrg
Osrg gobgp
Vendors & Products Osrg
Osrg gobgp

Mon, 30 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in osrg GoBGP up to 4.3.0. Affected is the function BGPHeader.DecodeFromBytes of the file pkg/packet/bgp/bgp.go of the component BGP Header Handler. The manipulation leads to improper access controls. Remote exploitation of the attack is possible. The attack is considered to have high complexity. The exploitability is told to be difficult. The identifier of the patch is f0f24a2a901cbf159260698211ab15c583ced131. To fix this issue, it is recommended to deploy a patch.
Title osrg GoBGP BGP Header bgp.go BGPHeader.DecodeFromBytes access control
Weaknesses CWE-266
CWE-284
References
Metrics cvssV2_0

{'score': 2.6, 'vector': 'AV:N/AC:H/Au:N/C:N/I:P/A:N/E:ND/RL:OF/RC:C'}

cvssV3_0

{'score': 3.7, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:X/RL:O/RC:C'}

cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:X/RL:O/RC:C'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X'}

Subscriptions

Osrg Gobgp
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-30T18:39:46.466Z

Reserved: 2026-03-30T07:50:38.468Z

Link: CVE-2026-5124

cve-icon Vulnrichment

Updated: 2026-03-30T18:39:43.122Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-30T17:16:16.087

Modified: 2026-04-06T15:52:36.687

Link: CVE-2026-5124

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T08:08:33Z

Weaknesses