CVE-2026-5123
Off-by-One Vulnerability in GoBGP DecodeFromBytes Function
Publication date: 2026-03-30
Last updated on: 2026-04-06
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| osrg | gobgp | to 4.4.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-193 | A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value. |
| CWE-189 |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an off-by-one error in the GoBGP project's function DecodeFromBytes within the CapSoftwareVersion struct. The issue occurs because the code incorrectly slices a byte array when extracting the version string, truncating the last byte. Specifically, the original code used data[1:SoftwareVersionLen], which cut off the final byte of the version string. The correct slicing should be data[1:1+SoftwareVersionLen] to include the entire version string.
This bug can be triggered remotely but is considered highly complex and difficult to exploit.
How can this vulnerability impact me? :
The vulnerability may lead to an off-by-one error during the decoding of the software version string in BGP packets. While the attack can be launched remotely, it is highly complex and difficult to exploit.
According to the CVSS scores, the impact on availability is low, with no impact on confidentiality or integrity. This suggests that the vulnerability might cause minor disruptions or errors but is unlikely to lead to data breaches or significant service outages.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is related to an off-by-one error in the GoBGP project's DecodeFromBytes function for the CapSoftwareVersion attribute. Detection would involve verifying if the affected GoBGP version (up to 4.3.0) is in use and if the vulnerable code is present.
Since the issue is in the decoding of BGP packets, network detection could involve monitoring BGP traffic for anomalies or malformed CapSoftwareVersion attributes, but no specific detection commands or signatures are provided.
A practical approach is to check the GoBGP version running on your systems. For example, you can run the following command on the system running GoBGP to determine its version:
- gobgp version
If the version is 4.3.0 or earlier, the system is potentially vulnerable.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to apply the patch that fixes the off-by-one error in the DecodeFromBytes function of the CapSoftwareVersion attribute.
This patch is identified by commit 67c059413470df64bc20801c46f64058e88f800f in the GoBGP project.
Therefore, you should update your GoBGP installation to a version that includes this patch or manually apply the fix from the commit.
Since the exploitability is considered difficult and the attack requires remote manipulation of BGP packets, limiting exposure of BGP services to untrusted networks can also reduce risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
There is no information provided in the available context or resources about how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.