Description
A vulnerability was determined in osrg GoBGP up to 4.3.0. Affected by this vulnerability is the function parseRibEntry of the file pkg/packet/mrt/mrt.go. Executing a manipulation can lead to integer underflow. It is possible to launch the attack remotely. Upgrading to version 4.4.0 addresses this issue. This patch is called 76d911046344a3923cbe573364197aa081944592. It is suggested to upgrade the affected component.
Published: 2026-05-04
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability was identified in osrg GoBGP up to version 4.3.0. The flaw resides in the parseRibEntry function of the mrt.go file and causes an integer underflow when processing specific MRT data. An attacker can exploit this by supplying crafted routing data to a GoBGP instance, potentially leading to corrupted routing entries or unintended behavior caused by the underflow. The issue is not limited to local inputs; the description indicates that it can be launched remotely through network interactions.

Affected Systems

OSRG GoBGP versions 4.3.0 and earlier are affected. The fix is included in release 4.4.0 and later, as documented in the commit 76d911046344a3923cbe573364197aa081944592.

Risk and Exploitability

The CVSS score of 6.9 reflects medium severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is remote, relying on external MRT input to a GoBGP process. The patch addresses the integer underflow and eliminates the advertised risk.

Generated by OpenCVE AI on May 4, 2026 at 07:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GoBGP to version 4.4.0 or later to patch the integer underflow vulnerability.
  • Restrict access to the MRT data feeds so that only trusted sources can deliver routing updates to the vulnerable instance.
  • Monitor routing table consistency for unexpected changes and investigate any anomalies that may indicate an attempted exploitation.

Generated by OpenCVE AI on May 4, 2026 at 07:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 04 May 2026 06:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in osrg GoBGP up to 4.3.0. Affected by this vulnerability is the function parseRibEntry of the file pkg/packet/mrt/mrt.go. Executing a manipulation can lead to integer underflow. It is possible to launch the attack remotely. Upgrading to version 4.4.0 addresses this issue. This patch is called 76d911046344a3923cbe573364197aa081944592. It is suggested to upgrade the affected component.
Title osrg GoBGP mrt.go parseRibEntry integer underflow
First Time appeared Osrg
Osrg gobgp
Weaknesses CWE-189
CWE-191
CPEs cpe:2.3:a:osrg:gobgp:*:*:*:*:*:*:*:*
Vendors & Products Osrg
Osrg gobgp
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:ND/RL:OF/RC:C'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X'}

Subscriptions

Osrg Gobgp
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-04T10:37:55.302Z

Reserved: 2026-05-03T16:16:30.716Z

Link: CVE-2026-7736

cve-icon Vulnrichment

Updated: 2026-05-04T10:37:51.922Z

cve-icon NVD

Status : Received

Published: 2026-05-04T07:16:01.517

Modified: 2026-05-04T07:16:01.517

Link: CVE-2026-7736

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T07:45:05Z

Weaknesses