VulnerableCode Package Details - pkg:golang/github.com/osrg/gobgp/v4@4.4.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-2cnf-zyh4-cuex Aliases: CVE-2026-42285 GHSA-p3w2-64xm-833j	GoBGP is an open source Border Gateway Protocol (BGP) implementation in the Go Programming Language. In version 4.4.0, an unauthenticated remote BGP peer can trigger a fatal panic in GoBGP by sending a specially crafted BGP UPDATE message. When the server receives a message with inconsistent attribute lengths, it improperly handles the internal state transition to a "withdraw" action, leading to a nil pointer dereference in the AdjRib.Update function. This causes the entire GoBGP process to crash, resulting in a complete loss of service availability. This issue has been patched in version 4.5.0.	4.5.0 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-2cnf-zyh4-cuex
Aliases:
CVE-2026-42285
GHSA-p3w2-64xm-833j

GoBGP is an open source Border Gateway Protocol (BGP) implementation in the Go Programming Language. In version 4.4.0, an unauthenticated remote BGP peer can trigger a fatal panic in GoBGP by sending a specially crafted BGP UPDATE message. When the server receives a message with inconsistent attribute lengths, it improperly handles the internal state transition to a "withdraw" action, leading to a nil pointer dereference in the AdjRib.Update function. This causes the entire GoBGP process to crash, resulting in a complete loss of service availability. This issue has been patched in version 4.5.0.

4.5.0
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-gck7-rsrw-r7fj	GoBGP is an open source Border Gateway Protocol (BGP) implementation in the Go Programming Language. In version 4.3.0, a remote Denial of Service (DoS) vulnerability exists in GoBGP due to a nil pointer dereference. When a malformed BGP UPDATE message contains an unrecognized Path Attribute marked as "Well-known," the daemon fails to interrupt the message handling flow. This results in an illegal memory access and a full process crash (panic). This issue has been patched in version 4.4.0.	CVE-2026-41642 GHSA-7235-89m6-f4px
VCID-ha64-6fyw-nuag	A vulnerability was determined in osrg GoBGP up to 4.3.0. Affected by this vulnerability is the function parseRibEntry of the file pkg/packet/mrt/mrt.go. Executing a manipulation can lead to integer underflow. It is possible to launch the attack remotely. Upgrading to version 4.4.0 addresses this issue. This patch is called 76d911046344a3923cbe573364197aa081944592. It is suggested to upgrade the affected component.	CVE-2026-7736 GHSA-hj4w-qr9j-c4cf
VCID-k7du-sx9c-6ff7	An out-of-bounds read in the ParseIP6Extended function (/bgp/bgp.go) of gobgp v4.3.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP UPDATE message.	CVE-2026-37461 GHSA-wmvj-f67g-qg4g
VCID-v1de-mjt7-kbfh	A vulnerability has been found in osrg GoBGP up to 4.3.0. This impacts the function SRv6L3ServiceAttribute.DecodeFromBytes of the file pkg/packet/bgp/prefix_sid.go of the component SRv6 L3 Service. Such manipulation of the argument data leads to denial of service. The attack may be performed from remote. Upgrading to version 4.4.0 will fix this issue. The name of the patch is f9f7b55ec258e514be0264871fa645a2c3edad11. You should upgrade the affected component.	CVE-2026-7734 GHSA-vm3g-8xwv-mxfp

Vulnerability

Summary

Aliases

VCID-gck7-rsrw-r7fj

GoBGP is an open source Border Gateway Protocol (BGP) implementation in the Go Programming Language. In version 4.3.0, a remote Denial of Service (DoS) vulnerability exists in GoBGP due to a nil pointer dereference. When a malformed BGP UPDATE message contains an unrecognized Path Attribute marked as "Well-known," the daemon fails to interrupt the message handling flow. This results in an illegal memory access and a full process crash (panic). This issue has been patched in version 4.4.0.

CVE-2026-41642
GHSA-7235-89m6-f4px

VCID-ha64-6fyw-nuag

A vulnerability was determined in osrg GoBGP up to 4.3.0. Affected by this vulnerability is the function parseRibEntry of the file pkg/packet/mrt/mrt.go. Executing a manipulation can lead to integer underflow. It is possible to launch the attack remotely. Upgrading to version 4.4.0 addresses this issue. This patch is called 76d911046344a3923cbe573364197aa081944592. It is suggested to upgrade the affected component.

CVE-2026-7736
GHSA-hj4w-qr9j-c4cf

VCID-k7du-sx9c-6ff7

An out-of-bounds read in the ParseIP6Extended function (/bgp/bgp.go) of gobgp v4.3.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP UPDATE message.

CVE-2026-37461
GHSA-wmvj-f67g-qg4g

VCID-v1de-mjt7-kbfh

A vulnerability has been found in osrg GoBGP up to 4.3.0. This impacts the function SRv6L3ServiceAttribute.DecodeFromBytes of the file pkg/packet/bgp/prefix_sid.go of the component SRv6 L3 Service. Such manipulation of the argument data leads to denial of service. The attack may be performed from remote. Upgrading to version 4.4.0 will fix this issue. The name of the patch is f9f7b55ec258e514be0264871fa645a2c3edad11. You should upgrade the affected component.

CVE-2026-7734
GHSA-vm3g-8xwv-mxfp

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T07:52:06.538321+00:00	GithubOSV Importer	Fixing	VCID-ha64-6fyw-nuag	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-hj4w-qr9j-c4cf/GHSA-hj4w-qr9j-c4cf.json	38.6.0
2026-06-12T07:51:56.685492+00:00	GithubOSV Importer	Fixing	VCID-v1de-mjt7-kbfh	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-vm3g-8xwv-mxfp/GHSA-vm3g-8xwv-mxfp.json	38.6.0
2026-06-12T07:51:22.132298+00:00	GithubOSV Importer	Affected by	VCID-2cnf-zyh4-cuex	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-p3w2-64xm-833j/GHSA-p3w2-64xm-833j.json	38.6.0
2026-06-12T07:50:58.387608+00:00	GithubOSV Importer	Fixing	VCID-k7du-sx9c-6ff7	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-wmvj-f67g-qg4g/GHSA-wmvj-f67g-qg4g.json	38.6.0
2026-06-12T07:45:33.790717+00:00	GithubOSV Importer	Fixing	VCID-gck7-rsrw-r7fj	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-7235-89m6-f4px/GHSA-7235-89m6-f4px.json	38.6.0