CVE-2026-42285
Awaiting Analysis Awaiting Analysis - Queue
Unauthenticated Remote Crash in GoBGP via Malformed BGP UPDATE

Publication date: 2026-05-07

Last updated on: 2026-05-07

Assigner: GitHub, Inc.

Description
GoBGP is an open source Border Gateway Protocol (BGP) implementation in the Go Programming Language. In version 4.4.0, an unauthenticated remote BGP peer can trigger a fatal panic in GoBGP by sending a specially crafted BGP UPDATE message. When the server receives a message with inconsistent attribute lengths, it improperly handles the internal state transition to a "withdraw" action, leading to a nil pointer dereference in the AdjRib.Update function. This causes the entire GoBGP process to crash, resulting in a complete loss of service availability. This issue has been patched in version 4.5.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-07
Last Modified
2026-05-07
Generated
2026-05-07
AI Q&A
2026-05-07
EPSS Evaluated
N/A
NVD
CVE-2026-42285
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
osrg gobgp to 4.5.0 (exc)
osrg gobgp 4.5.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-42285 is a high-severity vulnerability in GoBGP version 4.4.0, an open source Border Gateway Protocol implementation. An unauthenticated remote attacker can send a specially crafted BGP UPDATE message with invalid attribute lengths. This causes a nil pointer dereference in the AdjRib.Update function, triggering a fatal panic that crashes the entire GoBGP process.

The crash results in a complete loss of service availability. The vulnerability arises because the server improperly handles internal state transitions when processing inconsistent attribute lengths in the UPDATE message.

This issue was fixed in GoBGP version 4.5.0.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.


How can this vulnerability impact me? :

This vulnerability can cause a denial of service (DoS) by crashing the GoBGP process completely. Since GoBGP is responsible for managing BGP routing, the crash leads to a total loss of service availability.

An attacker does not need any authentication or special privileges to exploit this flaw, making it easier to disrupt network operations remotely.

The impact is significant for any network relying on GoBGP for routing, as it can cause network outages or interruptions in connectivity.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade GoBGP to version 4.5.0 or later, where the issue has been patched.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart