Summaryinfo

A vulnerability marked as problematic has been reported in osrg GoBGP up to 4.3.0. Affected is the function DecodeFromBytes of the file pkg/packet/bgp/bgp.go. The manipulation of the argument data[1] leads to off-by-one. This vulnerability is referenced as CVE-2026-5123. Remote exploitation of the attack is possible. No exploit is available. To fix this issue, it is recommended to deploy a patch.

Detailsinfo

A vulnerability was found in osrg GoBGP up to 4.3.0 and classified as problematic. This issue affects the function DecodeFromBytes of the file pkg/packet/bgp/bgp.go. The manipulation of the argument data[1] with an unknown input leads to a off-by-one vulnerability. Using CWE to declare the problem leads to CWE-193. A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value. Impacted is availability.

It is possible to read the advisory at github.com. The identification of this vulnerability is CVE-2026-5123. The exploitation is known to be difficult. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. Technical details of the vulnerability are known, but there is no available exploit.

Applying the patch 67c059413470df64bc20801c46f64058e88f800f is able to eliminate this problem. The bugfix is ready for download at github.com.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Productinfo

Vendor

• osrg

Name

• GoBGP

Version

• 4.0
• 4.1
• 4.2
• 4.3.0

License

• open-source

Website

• Product: https://github.com/osrg/gobgp/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Submitinfo

Accepted

• Submit #780179: osrg GoBGP 4.3.0 Off-by-one Error (by Sunxj)

Discussion