CVE-2026-5122

EUVD-2026-17091
A security flaw has been discovered in osrg GoBGP up to 4.3.0. This affects the function DecodeFromBytes of the file pkg/packet/bgp/bgp.go of the component BGP OPEN Message Handler. Performing a manipulation of the argument domainNameLen results in improper access controls. The attack may be initiated remotely. A high degree of complexity is needed for the attack. The exploitability is reported as difficult. The patch is named 2b09db390a3d455808363c53e409afe6b1b86d2d. It is suggested to install a patch to address this issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
3.7 LOW
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
VulDBCNA
3.7 LOW
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:X/RL:O/RC:C
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
osrggobgp
4.0
osrggobgp
4.1
osrggobgp
4.2
osrggobgp
4.3.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
gobgp
bookworm
vulnerable
bullseye
vulnerable
forky
vulnerable
sid
vulnerable
trixie
vulnerable
Common Weakness Enumeration
References
https://github.com/osrg/gobgp/
https://github.com/osrg/gobgp/commit/2b09db390a3d455808363c53e409afe6b1b86d2d
https://github.com/osrg/gobgp/pull/3343
https://vuldb.com/submit/780124
https://vuldb.com/vuln/354154
https://vuldb.com/vuln/354154/cti