EXECUTIVE SUMMARY:
CVE-2026-45047 with a CVSS score of 7.5 is a remote denial of service (RDoS) vulnerability in the bird-lg-go package, particularly affecting versions prior to 0.0.0-20260507060110-0ff87024cb9e. The vulnerability arises from uncontrolled resource consumption via unbounded JSON decoding, as the `apiHandler` and `webHandlerTelegramBot` functions process user-provided JSON payloads without restriction on the maximum read size. An unauthenticated remote attacker can exploit this by streaming an extremely large, endless JSON payload over a single TCP connection, which rapidly exhausts the host's physical RAM or container limits, leading to an unrecoverable `fatal error: runtime: out of memory` and subsequent termination of the `bird-lg-go` daemon by the Linux OOM Killer, causing a severe Remote Denial of Service (RDoS). This results in significant business impact and consequences, including system crashes, data loss, and prolonged downtime, requiring an attacker to have access to the internet-facing interface of the `bird-lg-go` daemon, with no prerequisites or conditions required for exploitation.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-45047 with a CVSS score of 7.5 is a remote denial of service (RDoS) vulnerability in the bird-lg-go package, particularly affecting versions prior to 0.0.0-20260507060110-0ff87024cb9e. The vulnerability arises from uncontrolled resource consumption via unbounded JSON decoding, as the `apiHandler` and `webHandlerTelegramBot` functions process user-provided JSON payloads without restriction on the maximum read size. An unauthenticated remote attacker can exploit this by streaming an extremely large, endless JSON payload over a single TCP connection, which rapidly exhausts the host's physical RAM or container limits, leading to an unrecoverable `fatal error: runtime: out of memory` and subsequent termination of the `bird-lg-go` daemon by the Linux OOM Killer, causing a severe Remote Denial of Service (RDoS). This results in significant business impact and consequences, including system crashes, data loss, and prolonged downtime, requiring an attacker to have access to the internet-facing interface of the `bird-lg-go` daemon, with no prerequisites or conditions required for exploitation.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-39qr-rc93-vhqm