CVE-2026-42285
Unauthenticated Remote Crash in GoBGP via Malformed BGP UPDATE
Publication date: 2026-05-07
Last updated on: 2026-05-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| osrg | gobgp | 4.4.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-42285 is a high-severity vulnerability in GoBGP version 4.4.0, an open source Border Gateway Protocol implementation. An unauthenticated remote attacker can send a specially crafted BGP UPDATE message with invalid attribute lengths. This causes a nil pointer dereference in the AdjRib.Update function, triggering a fatal panic that crashes the entire GoBGP process.
The crash results in a complete loss of service availability. The vulnerability arises because the server improperly handles internal state transitions when processing inconsistent attribute lengths in the UPDATE message.
This issue was fixed in GoBGP version 4.5.0.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability impact me? :
This vulnerability can cause a denial of service (DoS) by crashing the GoBGP process completely. Since GoBGP is responsible for managing BGP routing, the crash leads to a total loss of service availability.
An attacker does not need any authentication or special privileges to exploit this flaw, making it easier to disrupt network operations remotely.
The impact is significant for any network relying on GoBGP for routing, as it can cause network outages or interruptions in connectivity.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade GoBGP to version 4.5.0 or later, where the issue has been patched.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability in GoBGP v4.4.0 is triggered by receiving a specially crafted BGP UPDATE message with inconsistent attribute lengths, causing the GoBGP process to crash due to a nil pointer dereference.
To detect this vulnerability on your system, monitor the GoBGP process for unexpected crashes or service interruptions, especially after receiving BGP UPDATE messages.
Since the issue is caused by malformed BGP UPDATE messages, you can capture and analyze BGP traffic using network packet capture tools such as tcpdump or Wireshark to identify suspicious or malformed UPDATE messages.
- Use tcpdump to capture BGP traffic on the relevant interface and port (179): tcpdump -i <interface> port 179 -w gobgp_traffic.pcap
- Analyze the captured traffic with Wireshark or similar tools to inspect BGP UPDATE messages for inconsistent attribute lengths or malformed attributes.
- Check system logs or GoBGP logs for crash reports or panic messages related to nil pointer dereferences in the AdjRib.Update function.
Upgrading GoBGP to version 4.5.0 or later is the recommended mitigation to prevent this vulnerability.