CVE-2026-5123

A weakness has been identified in osrg GoBGP up to 4.3.0. This impacts the function DecodeFromBytes of the file pkg/packet/bgp/bgp.go. Executing a manipulation of the argument data[1] can lead to off-by-one. The attack may be launched remotely. Attacks of this nature are highly complex. The exploitability is said to be difficult. This patch is called 67c059413470df64bc20801c46f64058e88f800f. A patch should be applied to remediate this issue.

CVSS v3 3.7 LOW
CVSS v2.0 2.6 LOW

3.7^/10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

2.6^/10

CVSS v2.0 : LOW

V2 Legend

Vector : AV:N/AC:H/Au:N/C:N/I:N/A:P

Exploitability : 4.9 / Impact : 2.9

Access Vector NETWORK

Access Complexity HIGH

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

References

Link	Resource
https://github.com/osrg/gobgp/	Product
https://github.com/osrg/gobgp/commit/67c059413470df64bc20801c46f64058e88f800f	Patch
https://github.com/osrg/gobgp/pull/3342	Issue Tracking
https://vuldb.com/submit/780179	Third Party Advisory VDB Entry
https://vuldb.com/vuln/354155	Third Party Advisory VDB Entry
https://vuldb.com/vuln/354155/cti	Permissions Required VDB Entry

Configurations

Configuration 1 (hide)

cpe:2.3:a:osrg:gobgp:*:*:*:*:*:*:*:*

History

06 Apr 2026, 15:46

Type	Values Removed	Values Added
References	~~() https://github.com/osrg/gobgp/ -~~	() https://github.com/osrg/gobgp/ - Product
References	~~() https://github.com/osrg/gobgp/commit/67c059413470df64bc20801c46f64058e88f800f -~~	() https://github.com/osrg/gobgp/commit/67c059413470df64bc20801c46f64058e88f800f - Patch
References	~~() https://github.com/osrg/gobgp/pull/3342 -~~	() https://github.com/osrg/gobgp/pull/3342 - Issue Tracking
References	~~() https://vuldb.com/submit/780179 -~~	() https://vuldb.com/submit/780179 - Third Party Advisory, VDB Entry
References	~~() https://vuldb.com/vuln/354155 -~~	() https://vuldb.com/vuln/354155 - Third Party Advisory, VDB Entry
References	~~() https://vuldb.com/vuln/354155/cti -~~	() https://vuldb.com/vuln/354155/cti - Permissions Required, VDB Entry
CPE		cpe:2.3:a:osrg:gobgp::::::::
First Time		Osrg gobgp Osrg

01 Apr 2026, 14:24

Type	Values Removed	Values Added
Summary		(es) Se ha identificado una debilidad en osrg GoBGP hasta 4.3.0. Esto impacta en la función DecodeFromBytes del archivo pkg/packet/bgp/bgp.go. Ejecutar una manipulación del argumento data[1] puede llevar a off-by-one. El ataque puede ser lanzado remotamente. Ataques de esta naturaleza son altamente complejos. La explotabilidad se dice que es difícil. Este parche se llama 67c059413470df64bc20801c46f64058e88f800f. Un parche debería aplicarse para remediar este problema.

30 Mar 2026, 16:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-30 16:16

Updated : 2026-04-06 15:46

NVD link : CVE-2026-5123

Mitre link : CVE-2026-5123

CVE.ORG link : CVE-2026-5123

JSON object : View

Products Affected

osrg

gobgp

CWE

CWE-189

Numeric Errors

CWE-193

Off-by-one Error

3.7 /10

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

2.6 /10

Access Vector NETWORK

Access Complexity HIGH

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

JSON object

Attach tags to CVE-2026-5123

3.7^/10

2.6^/10

Attach tags to `CVE-2026-5123`