Description
A vulnerability was found in osrg GoBGP up to 4.3.0. Affected is the function PathAttributeAigp.DecodeFromBytes of the file pkg/packet/bgp/bgp.go of the component AIGP Attribute Parser. Performing a manipulation results in buffer overflow. It is possible to initiate the attack remotely. Upgrading to version 4.4.0 is able to address this issue. The patch is named 51ad1ada06cb41ce47b7066799981816f50b7ced. The affected component should be upgraded.
Published: 2026-05-04
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A buffer overflow exists in the AIGP Attribute Parser of osrg GoBGP. Manipulating the PathAttributeAigp.DecodeFromBytes function can overwrite memory, potentially allowing an attacker to crash the process or execute arbitrary code. The flaw falls under CWE‑119 and CWE‑120, indicating unsafe buffer handling.

Affected Systems

Versions up to and including 4.3.0 of osrg GoBGP are affected. The issue is resolved in version 4.4.0.

Risk and Exploitability

The CVSS score of 6.9 classifies the severity as moderate. EPSS data is not available, though the vulnerability can be triggered remotely. The vulnerability is not listed in the CISA KEV catalog. An attacker can exploit the flaw by sending a crafted packet to a running GoBGP instance.

Generated by OpenCVE AI on May 4, 2026 at 06:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GoBGP to version 4.4.0 or later to incorporate the security fix
  • If an immediate upgrade is not possible, apply the patch from commit 51ad1ada06cb41ce47b7066799981816f50b7ced to the source code and rebuild
  • Implement input size validation or restrict exposure of the AIGP attribute parser to prevent exploitation
  • Actively monitor network traffic for abnormal BGPPacket structures that may indicate exploitation attempts

Generated by OpenCVE AI on May 4, 2026 at 06:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 05:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in osrg GoBGP up to 4.3.0. Affected is the function PathAttributeAigp.DecodeFromBytes of the file pkg/packet/bgp/bgp.go of the component AIGP Attribute Parser. Performing a manipulation results in buffer overflow. It is possible to initiate the attack remotely. Upgrading to version 4.4.0 is able to address this issue. The patch is named 51ad1ada06cb41ce47b7066799981816f50b7ced. The affected component should be upgraded.
Title osrg GoBGP AIGP Attribute bgp.go PathAttributeAigp.DecodeFromBytes buffer overflow
First Time appeared Osrg
Osrg gobgp
Weaknesses CWE-119
CWE-120
CPEs cpe:2.3:a:osrg:gobgp:*:*:*:*:*:*:*:*
Vendors & Products Osrg
Osrg gobgp
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:ND/RL:OF/RC:C'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X'}

Subscriptions

Osrg Gobgp
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-04T12:49:04.665Z

Reserved: 2026-05-03T16:16:27.612Z

Link: CVE-2026-7735

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-04T06:16:02.367

Modified: 2026-05-04T06:16:02.367

Link: CVE-2026-7735

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T07:30:39Z

Weaknesses