CVE-2026-5123

EUVD-2026-17109
A weakness has been identified in osrg GoBGP up to 4.3.0. This impacts the function DecodeFromBytes of the file pkg/packet/bgp/bgp.go. Executing a manipulation of the argument data[1] can lead to off-by-one. The attack may be launched remotely. Attacks of this nature are highly complex. The exploitability is said to be difficult. This patch is called 67c059413470df64bc20801c46f64058e88f800f. A patch should be applied to remediate this issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
3.7 LOW
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
VulDBCNA
3.7 LOW
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
osrggobgp
4.0
osrggobgp
4.1
osrggobgp
4.2
osrggobgp
4.3.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
gobgp
bookworm
vulnerable
bullseye
vulnerable
forky
vulnerable
sid
vulnerable
trixie
vulnerable
Common Weakness Enumeration
References
https://github.com/osrg/gobgp/
https://github.com/osrg/gobgp/commit/67c059413470df64bc20801c46f64058e88f800f
https://github.com/osrg/gobgp/pull/3342
https://vuldb.com/submit/780179
https://vuldb.com/vuln/354155
https://vuldb.com/vuln/354155/cti