Description
A vulnerability was identified in osrg GoBGP up to 4.3.0. Affected by this issue is the function BMPPeerUpNotification.ParseBody/BMPStatisticsReport.ParseBody of the file pkg/packet/bmp/bmp.go of the component BMP Parser. The manipulation leads to out-of-bounds read. The attack can be initiated remotely. Upgrading to version 4.4.0 can resolve this issue. The identifier of the patch is bc77597d42335c78464bc8e15a471d887bbdf260. Upgrading the affected component is recommended.
Published: 2026-05-04
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An out‑of‑bounds read vulnerability exists in the BMP parser of GoBGP, specifically within the BMPPeerUpNotification.ParseBody and BMPStatisticsReport.ParseBody functions in bmp.go. Sending a crafted BMP message can cause the parser to read beyond the bounds of a buffer, potentially leaking sensitive memory contents or causing a crash. The vulnerability is linked to CWE-119 and CWE-125.

Affected Systems

The affected product is osrg GoBGP, in all releases up to and including 4.3.0. The issue has been addressed in release 4.4.0. The patch that resolves this flaw is identified by commit bc77597d42335c78464bc8e15a471d887bbdf260.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity, and the exploit can be triggered remotely by an attacker who can send BMP packets to the server; authentication is not required. Because the vulnerability involves an out‑of‑bounds read, a successful exploit could lead to information disclosure or a denial of service if the service crashes. The EPSS score is not available and the vulnerability is not listed in CISA KEV, suggesting it is a known risk but not widely exploited yet. The risk is mitigated by applying the official patch or upgrading to the fixed version.

Generated by OpenCVE AI on May 4, 2026 at 07:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the GoBGP installation to version 4.4.0 or later, which includes the fix identified by commit bc77597d42335c78464bc8e15a471d887bbdf260.
  • If upgrading is not immediately feasible, disable or restrict the BMP protocol interface to trusted peers only to prevent unauthenticated BMP traffic from reaching the vulnerable component.
  • Deploy network‑layer filtering (e.g., firewall rules) to block BMP traffic from untrusted sources while monitoring logs for anomalous BMP messages that could indicate exploitation attempts.

Generated by OpenCVE AI on May 4, 2026 at 07:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 04 May 2026 06:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in osrg GoBGP up to 4.3.0. Affected by this issue is the function BMPPeerUpNotification.ParseBody/BMPStatisticsReport.ParseBody of the file pkg/packet/bmp/bmp.go of the component BMP Parser. The manipulation leads to out-of-bounds read. The attack can be initiated remotely. Upgrading to version 4.4.0 can resolve this issue. The identifier of the patch is bc77597d42335c78464bc8e15a471d887bbdf260. Upgrading the affected component is recommended.
Title osrg GoBGP BMP Parser bmp.go BMPStatisticsReport.ParseBody out-of-bounds
First Time appeared Osrg
Osrg gobgp
Weaknesses CWE-119
CWE-125
CPEs cpe:2.3:a:osrg:gobgp:*:*:*:*:*:*:*:*
Vendors & Products Osrg
Osrg gobgp
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:N/A:P/E:ND/RL:OF/RC:C'}

cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X'}

Subscriptions

Osrg Gobgp
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-05T00:57:22.608Z

Reserved: 2026-05-03T16:16:33.784Z

Link: CVE-2026-7737

cve-icon Vulnrichment

Updated: 2026-05-05T00:57:17.912Z

cve-icon NVD

Status : Received

Published: 2026-05-04T07:16:01.700

Modified: 2026-05-04T07:16:01.700

Link: CVE-2026-7737

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T07:45:05Z

Weaknesses