CVE-2026-41642
Remote DoS in GoBGP via Malformed BGP UPDATE
Publication date: 2026-05-07
Last updated on: 2026-05-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| osrg | gobgp | 4.3.0 |
| osrg | gobgp | 4.4.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in GoBGP version 4.3.0 and is caused by a nil pointer dereference when handling malformed BGP UPDATE messages.
Specifically, if a BGP UPDATE message contains an unrecognized Path Attribute marked as "Well-known" (with the Optional bit set to 0), the GoBGP daemon fails to properly handle the error. Instead of sending a NOTIFICATION message as required by the BGP protocol (RFC 4271), the message parsing continues and tries to access a nil pointer, leading to illegal memory access.
This causes the entire GoBGP process to crash (panic), terminating the BGP daemon rather than just the affected session.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in GoBGP version 4.3.0 causes a remote Denial of Service (DoS) by crashing the BGP daemon when processing malformed BGP UPDATE messages. This impacts the availability of the BGP service.
While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the availability impact caused by this vulnerability could potentially affect compliance with regulations that require maintaining service availability and resilience.
However, there is no direct information provided about how this vulnerability specifically affects compliance with these or other common standards and regulations.
How can this vulnerability impact me? :
The vulnerability allows a remote attacker to cause a Denial of Service (DoS) by sending a specially crafted malformed BGP UPDATE message.
Exploiting this flaw results in the complete crash of the GoBGP daemon, which disrupts BGP routing operations.
Since BGP is critical for routing between networks, this crash can lead to network outages or degraded network availability.
The attacker does not require any privileges or user interaction to trigger this crash, making it a high-severity availability impact.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for crashes or panics in the GoBGP daemon, which occur when it receives a malformed BGP UPDATE message containing an unrecognized Path Attribute marked as "Well-known".
Detection involves capturing and analyzing BGP UPDATE packets to identify those with unrecognized Type Codes marked as "Well-known" (e.g., Type 0xEE or 0xFF with flags 0x40).
Network administrators can use packet capture tools like tcpdump or Wireshark to filter and inspect BGP UPDATE messages for suspicious attributes.
- Use tcpdump to capture BGP UPDATE messages: tcpdump -i <interface> 'tcp port 179 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
- Analyze captured packets in Wireshark to look for BGP UPDATE messages with unrecognized Path Attribute Type Codes marked as "Well-known".
- Monitor GoBGP daemon logs for crash or panic messages indicating nil pointer dereference.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade GoBGP to version 4.4.0 or later, where this vulnerability has been patched.
Until the upgrade can be applied, consider implementing network-level filtering to block malformed BGP UPDATE messages containing unrecognized "Well-known" Path Attributes.
Additionally, monitor the GoBGP daemon for crashes and restart it promptly if a crash occurs to maintain service availability.