CVE-2026-7735
Awaiting Analysis Awaiting Analysis - Queue
Buffer Overflow in GoBGP AIGP Attribute Parser

Publication date: 2026-05-04

Last updated on: 2026-05-06

Assigner: VulDB

Description
A vulnerability was found in osrg GoBGP up to 4.3.0. Affected is the function PathAttributeAigp.DecodeFromBytes of the file pkg/packet/bgp/bgp.go of the component AIGP Attribute Parser. Performing a manipulation results in buffer overflow. It is possible to initiate the attack remotely. Upgrading to version 4.4.0 is able to address this issue. The patch is named 51ad1ada06cb41ce47b7066799981816f50b7ced. The affected component should be upgraded.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-04
Last Modified
2026-05-06
Generated
2026-06-16
AI Q&A
2026-05-04
EPSS Evaluated
2026-06-14
NVD
CVE-2026-7735
EUVD
EUVD-2026-26915
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
osrg gobgp to 4.4.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-120 The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not include any details on how the vulnerability in osrg GoBGP affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability exists in the osrg GoBGP software up to version 4.3.0, specifically in the function PathAttributeAigp.DecodeFromBytes within the AIGP Attribute Parser component. The issue arises because the parser did not properly handle malformed BGP messages, allowing certain errors to be ignored. This improper handling can lead to a buffer overflow when processing manipulated or malicious data remotely.

The vulnerability allows an attacker to send specially crafted BGP messages that cause the parser to overflow its buffer, potentially leading to unexpected behavior or crashes.

The problem was fixed in GoBGP version 4.4.0 by improving error handling in the parser to correctly detect and reject malformed AIGP TLVs, preventing invalid data from being processed or stored.

Impact Analysis

This vulnerability can impact you by allowing a remote attacker to cause a buffer overflow in the GoBGP software, which may lead to denial of service (crashes) or potentially enable further exploitation depending on the environment.

Since the attack can be initiated remotely without authentication, it poses a risk to network stability and reliability where GoBGP is used for routing.

The vulnerability affects the integrity and availability of the BGP routing process, which could disrupt network operations.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade the affected GoBGP component to version 4.4.0 or later.

This update includes a patch that fixes the buffer overflow issue in the AIGP Attribute Parser by improving error handling and validation of malformed BGP messages.

Detection Guidance

This vulnerability affects the GoBGP software up to version 4.3.0 in the AIGP Attribute Parser, specifically in the PathAttributeAigp.DecodeFromBytes function. Detection involves identifying if your system is running a vulnerable version of GoBGP.

To detect the vulnerability on your system, first check the installed GoBGP version. If it is 4.3.0 or earlier, your system is vulnerable.

  • Run the command: gobgp version

Additionally, monitoring BGP traffic for malformed AIGP TLVs that could trigger the buffer overflow might help detect exploitation attempts, but no specific detection commands or signatures are provided in the available resources.

The recommended mitigation is to upgrade GoBGP to version 4.4.0 or later, which includes the patch fixing this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7735. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart