CVE-2026-5123
Received Received - Intake
Off-by-One Vulnerability in GoBGP DecodeFromBytes Function

Publication date: 2026-03-30

Last updated on: 2026-04-06

Assigner: VulDB

Description
A weakness has been identified in osrg GoBGP up to 4.3.0. This impacts the function DecodeFromBytes of the file pkg/packet/bgp/bgp.go. Executing a manipulation of the argument data[1] can lead to off-by-one. The attack may be launched remotely. Attacks of this nature are highly complex. The exploitability is said to be difficult. This patch is called 67c059413470df64bc20801c46f64058e88f800f. A patch should be applied to remediate this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-30
Last Modified
2026-04-06
Generated
2026-06-16
AI Q&A
2026-03-30
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5123
EUVD
EUVD-2026-17109
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
osrg gobgp to 4.4.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-189
CWE-193 A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an off-by-one error in the GoBGP project's function DecodeFromBytes within the CapSoftwareVersion struct. The issue occurs because the code incorrectly slices a byte array when extracting the version string, truncating the last byte. Specifically, the original code used data[1:SoftwareVersionLen], which cut off the final byte of the version string. The correct slicing should be data[1:1+SoftwareVersionLen] to include the entire version string.

This bug can be triggered remotely but is considered highly complex and difficult to exploit.

Impact Analysis

The vulnerability may lead to an off-by-one error during the decoding of the software version string in BGP packets. While the attack can be launched remotely, it is highly complex and difficult to exploit.

According to the CVSS scores, the impact on availability is low, with no impact on confidentiality or integrity. This suggests that the vulnerability might cause minor disruptions or errors but is unlikely to lead to data breaches or significant service outages.

Detection Guidance

This vulnerability is related to an off-by-one error in the GoBGP project's DecodeFromBytes function for the CapSoftwareVersion attribute. Detection would involve verifying if the affected GoBGP version (up to 4.3.0) is in use and if the vulnerable code is present.

Since the issue is in the decoding of BGP packets, network detection could involve monitoring BGP traffic for anomalies or malformed CapSoftwareVersion attributes, but no specific detection commands or signatures are provided.

A practical approach is to check the GoBGP version running on your systems. For example, you can run the following command on the system running GoBGP to determine its version:

  • gobgp version

If the version is 4.3.0 or earlier, the system is potentially vulnerable.

Mitigation Strategies

The primary mitigation step is to apply the patch that fixes the off-by-one error in the DecodeFromBytes function of the CapSoftwareVersion attribute.

This patch is identified by commit 67c059413470df64bc20801c46f64058e88f800f in the GoBGP project.

Therefore, you should update your GoBGP installation to a version that includes this patch or manually apply the fix from the commit.

Since the exploitability is considered difficult and the attack requires remote manipulation of BGP packets, limiting exposure of BGP services to untrusted networks can also reduce risk.

Compliance Impact

There is no information provided in the available context or resources about how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5123. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart