CVE-2026-37462
Integer Underflow in GoBGP Causes Denial of Service
Publication date: 2026-06-03
Last updated on: 2026-06-03
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| osrg | gobgp | 4.3.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an integer underflow in the BGPUpdate.DecodeFromBytes function of gobgp version 4.3.0. It occurs when a malformed BGP UPDATE message declares a section length smaller than the actual encoded element. This causes a uint16 subtraction to wrap around to a very large value, leading to silent data corruption as the function reads beyond the intended section boundary without raising an error.
The issue arises because the code does not properly check bounds before subtracting lengths, allowing crafted messages to exploit this underflow. The vulnerability can be triggered by supplying a specially crafted BGP UPDATE message that causes the length fields to underflow.
A security fix was introduced that adds bounds checks before each subtraction to detect and reject malformed messages early, preventing the underflow and subsequent data corruption.
How can this vulnerability impact me? :
This vulnerability can cause a Denial of Service (DoS) condition by allowing attackers to send crafted BGP UPDATE messages that exploit the integer underflow. This leads to silent data corruption and potentially crashes or instability in the gobgp service.
By consuming data beyond the intended boundaries without error, the system may behave unpredictably or become unavailable, disrupting network routing operations that rely on gobgp.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves an integer underflow triggered by malformed BGP UPDATE messages with incorrect section lengths. Detection involves monitoring for such malformed BGP UPDATE messages that declare section lengths smaller than the actual encoded elements.
Since the vulnerability is in the gobgp BGPUpdate.DecodeFromBytes function, one way to detect it is to analyze BGP UPDATE messages for inconsistencies in withdrawn route length or path attribute length fields that could cause underflow.
No specific commands are provided in the resources, but network administrators can use packet capture tools like tcpdump or Wireshark to capture BGP UPDATE messages and inspect the lengths of withdrawn routes and path attributes for anomalies.
- Use tcpdump to capture BGP traffic: tcpdump -i <interface> tcp port 179 -w bgp_traffic.pcap
- Analyze the captured packets in Wireshark, filtering for BGP UPDATE messages and inspecting the withdrawn route length and path attribute length fields for suspiciously small values that do not match the actual data length.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update gobgp to a version that includes the security fix addressing this integer underflow vulnerability.
The fix introduces bounds checks before each subtraction operation in the BGPUpdate.DecodeFromBytes function to detect and reject malformed BGP UPDATE messages early, preventing the underflow and potential denial of service.
Until the update can be applied, consider implementing network-level filtering to block malformed BGP UPDATE messages if possible, and monitor BGP sessions for unusual behavior or crashes.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not include any details about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.