CVE-2026-45047
Memory Exhaustion in bird-lg-go via Unbounded JSON Payload
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bird-lg-go | bird_lg_go | 1.4.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in bird-lg-go, a BIRD looking glass implemented in Go, specifically in versions prior to 1.4.5. The apiHandler and webHandlerTelegramBot process user-provided JSON payloads without limiting the maximum size of the input. An unauthenticated remote attacker can send an extremely large or endless JSON payload over a single TCP connection. Because Go's JSON decoder tries to allocate memory for the entire JSON structure, this causes rapid exhaustion of the host's physical RAM or container memory limits, resulting in a fatal out-of-memory error.
How can this vulnerability impact me? :
This vulnerability can cause a denial of service by exhausting the system's memory resources. An attacker can remotely trigger a fatal out-of-memory error, causing the affected service to crash or become unavailable. This can disrupt normal operations and potentially require a system restart or intervention to recover.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed in bird-lg-go version 1.4.5. Immediate mitigation involves upgrading to version 1.4.5 or later.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusually large or endless JSON payloads sent to the bird-lg-go service, especially targeting the apiHandler or webHandlerTelegramBot endpoints.
On the system side, detection can involve checking for out-of-memory (OOM) killer events terminating the bird-lg-go process, which indicates memory exhaustion caused by this vulnerability.
Network detection can include capturing and analyzing traffic to identify large or continuous JSON payloads sent over TCP connections to the bird-lg-go service.
- Use system logs to check for OOM killer events: `dmesg | grep -i 'out of memory'` or `journalctl -k | grep -i 'oom'`
- Monitor bird-lg-go process crashes or restarts: `systemctl status bird-lg-go` or `ps aux | grep bird-lg-go`
- Capture network traffic targeting bird-lg-go ports and filter for large JSON payloads using tools like tcpdump or Wireshark, e.g.: `tcpdump -i eth0 tcp port <bird-lg-go-port> -w capture.pcap`
- Analyze captured traffic for large JSON payloads or continuous streams using Wireshark or custom scripts.