CVE-2026-41643
Remote DoS in GoBGP via Malformed BGP UPDATE Message
Publication date: 2026-05-07
Last updated on: 2026-05-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| osrg | gobgp | to 4.3.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-129 | The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in GoBGP versions 4.2.0 and earlier, where a malformed BGP UPDATE message can cause a runtime error leading to a crash.
Specifically, when processing BGP UPDATE messages containing both AS_PATH and AS4_PATH attributes, if the AS4_PATH attribute appears before AS_PATH and is malformed, the code incorrectly handles the removal of the AS4_PATH attribute from an internal list.
This improper handling causes an out-of-bounds access (index out of range panic) due to the code continuing to use an outdated index after the list shifts, resulting in a crash of the GoBGP process.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability impact me? :
Exploitation of this vulnerability can cause the GoBGP process to crash immediately, leading to a complete loss of routing capabilities.
Since GoBGP is responsible for handling Border Gateway Protocol routing, a crash can disrupt network routing, potentially causing network outages or degraded network performance.
The vulnerability has a high severity with a CVSS score of 7.5, requires no privileges or user interaction, and can be exploited remotely with low attack complexity.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for crashes or runtime panics in the GoBGP process, especially those triggered by malformed BGP UPDATE messages containing AS_PATH and AS4_PATH attributes in an unexpected order.
Specifically, detection involves identifying if the GoBGP daemon crashes with an 'index out of range' panic related to the processing of 4-byte AS attributes.
To detect attempts to exploit this vulnerability on your network, you can capture and analyze BGP UPDATE messages for malformed AS_PATH and AS4_PATH attributes, particularly where AS4_PATH (Type 17) appears before AS_PATH (Type 2).
Suggested commands include using packet capture tools like tcpdump or Wireshark to filter BGP UPDATE messages and inspect their attributes.
- tcpdump -i <interface> -w bgp_updates.pcap 'tcp port 179'
- Use Wireshark to open bgp_updates.pcap and filter for BGP UPDATE messages with AS4_PATH before AS_PATH attributes.
Additionally, monitoring GoBGP logs for runtime panics or crashes can help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade GoBGP to version 4.3.0 or later, where this vulnerability has been patched.
Until the upgrade can be performed, consider restricting or filtering BGP UPDATE messages from untrusted sources to prevent malformed messages from reaching the GoBGP process.
Monitoring and alerting on GoBGP process crashes can also help in early detection and response.