CVE-2026-42285
Analyzed Analyzed - Analysis Complete
Unauthenticated Remote Crash in GoBGP via Malformed BGP UPDATE

Publication date: 2026-05-07

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description
GoBGP is an open source Border Gateway Protocol (BGP) implementation in the Go Programming Language. In version 4.4.0, an unauthenticated remote BGP peer can trigger a fatal panic in GoBGP by sending a specially crafted BGP UPDATE message. When the server receives a message with inconsistent attribute lengths, it improperly handles the internal state transition to a "withdraw" action, leading to a nil pointer dereference in the AdjRib.Update function. This causes the entire GoBGP process to crash, resulting in a complete loss of service availability. This issue has been patched in version 4.5.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-07
Last Modified
2026-05-11
Generated
2026-06-17
AI Q&A
2026-05-07
EPSS Evaluated
2026-06-16
NVD
CVE-2026-42285
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
osrg gobgp 4.4.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-42285 is a high-severity vulnerability in GoBGP version 4.4.0, an open source Border Gateway Protocol implementation. An unauthenticated remote attacker can send a specially crafted BGP UPDATE message with invalid attribute lengths. This causes a nil pointer dereference in the AdjRib.Update function, triggering a fatal panic that crashes the entire GoBGP process.

The crash results in a complete loss of service availability. The vulnerability arises because the server improperly handles internal state transitions when processing inconsistent attribute lengths in the UPDATE message.

This issue was fixed in GoBGP version 4.5.0.

Impact Analysis

This vulnerability can cause a denial of service (DoS) by crashing the GoBGP process completely. Since GoBGP is responsible for managing BGP routing, the crash leads to a total loss of service availability.

An attacker does not need any authentication or special privileges to exploit this flaw, making it easier to disrupt network operations remotely.

The impact is significant for any network relying on GoBGP for routing, as it can cause network outages or interruptions in connectivity.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade GoBGP to version 4.5.0 or later, where the issue has been patched.

Detection Guidance

This vulnerability in GoBGP v4.4.0 is triggered by receiving a specially crafted BGP UPDATE message with inconsistent attribute lengths, causing the GoBGP process to crash due to a nil pointer dereference.

To detect this vulnerability on your system, monitor the GoBGP process for unexpected crashes or service interruptions, especially after receiving BGP UPDATE messages.

Since the issue is caused by malformed BGP UPDATE messages, you can capture and analyze BGP traffic using network packet capture tools such as tcpdump or Wireshark to identify suspicious or malformed UPDATE messages.

  • Use tcpdump to capture BGP traffic on the relevant interface and port (179): tcpdump -i <interface> port 179 -w gobgp_traffic.pcap
  • Analyze the captured traffic with Wireshark or similar tools to inspect BGP UPDATE messages for inconsistent attribute lengths or malformed attributes.
  • Check system logs or GoBGP logs for crash reports or panic messages related to nil pointer dereferences in the AdjRib.Update function.

Upgrading GoBGP to version 4.5.0 or later is the recommended mitigation to prevent this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42285. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart