Description
A vulnerability has been found in osrg GoBGP up to 4.3.0. This impacts the function SRv6L3ServiceAttribute.DecodeFromBytes of the file pkg/packet/bgp/prefix_sid.go of the component SRv6 L3 Service. Such manipulation of the argument data leads to denial of service. The attack may be performed from remote. Upgrading to version 4.4.0 will fix this issue. The name of the patch is f9f7b55ec258e514be0264871fa645a2c3edad11. You should upgrade the affected component.
Published: 2026-05-04
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A bug in the GoBGP router software allows an attacker to send a crafted SRv6 L3 Service attribute that causes the DecodeFromBytes function to hang, leading to a denial of service of the BGP daemon. The vulnerability is triggered by malformed prefix_sid data and results in the process becoming unresponsive, creating a potential interruption to routing services. This flaw maps to CWE‑404, indicating an improper shutdown or release of resources.

Affected Systems

The issue affects osrg’s GoBGP implementation in versions up to and including 4.3.0. The affected component is the SRv6 L3 Service module, specifically the DecodeFromBytes routine in pkg/packet/bgp/prefix_sid.go. The vulnerability was resolved in GoBGP 4.4.0, which incorporates the patch identified by commit f9f7b55ec258e514be0264871fa645a2c3edad11.

Risk and Exploitability

The CVSS vector for this flaw is 6.9, placing it in the moderate risk category. Because the description states “The attack may be performed from remote,” it is reasonable to infer a remote attack vector, though no mention of local privilege escalation or authentication is made. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. Consequently, while the likelihood of exploitation is uncertain, the potential impact of service disruption justifies prompt remediation.

Generated by OpenCVE AI on May 4, 2026 at 06:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the GoBGP software to version 4.4.0 or later to obtain the vendor‑supplied fix.
  • Restart all active GoBGP instances so that the updated binaries and configuration files are loaded.
  • Enable service monitoring or health checks to detect any unresponsiveness promptly.

Generated by OpenCVE AI on May 4, 2026 at 06:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 05:30:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in osrg GoBGP up to 4.3.0. This impacts the function SRv6L3ServiceAttribute.DecodeFromBytes of the file pkg/packet/bgp/prefix_sid.go of the component SRv6 L3 Service. Such manipulation of the argument data leads to denial of service. The attack may be performed from remote. Upgrading to version 4.4.0 will fix this issue. The name of the patch is f9f7b55ec258e514be0264871fa645a2c3edad11. You should upgrade the affected component.
Title osrg GoBGP SRv6 L3 Service prefix_sid.go SRv6L3ServiceAttribute.DecodeFromBytes denial of service
First Time appeared Osrg
Osrg gobgp
Weaknesses CWE-404
CPEs cpe:2.3:a:osrg:gobgp:*:*:*:*:*:*:*:*
Vendors & Products Osrg
Osrg gobgp
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:N/A:P/E:ND/RL:OF/RC:C'}

cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X'}

Subscriptions

Osrg Gobgp
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-04T05:00:16.556Z

Reserved: 2026-05-03T16:16:17.495Z

Link: CVE-2026-7734

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-04T06:16:02.197

Modified: 2026-05-04T06:16:02.197

Link: CVE-2026-7734

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T07:30:39Z

Weaknesses