Threat Advisory

GoBGP Remote Denial of Service Vulnerability

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in GoBGP that could potentially lead to remote denial of service (DoS) attacks. The vulnerabilities exist in versions 4.2.0 and earlier, as well as in version 4.3.0. If exploited, these vulnerabilities could allow an attacker to crash the GoBGP process, resulting in a complete loss of routing capabilities. This could have a significant business impact, particularly for organizations that rely heavily on BGP for their network infrastructure. It is essential to take immediate action to mitigate these vulnerabilities and prevent potential attacks.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in GoBGP that could potentially lead to remote denial of service (DoS) attacks. The vulnerabilities exist in versions 4.2.0 and earlier, as well as in version 4.3.0. If exploited, these vulnerabilities could allow an attacker to crash the GoBGP process, resulting in a complete loss of routing capabilities. This could have a significant business impact, particularly for organizations that rely heavily on BGP for their network infrastructure. It is essential to take immediate action to mitigate these vulnerabilities and prevent potential attacks.[emaillocker id="1283"]

  • CVE-2026-41643 with a CVSS score of 7.5 - This vulnerability exists in GoBGP versions 4.2.0 and earlier, and allows an attacker to trigger a runtime error: index out of range panic, by sending a specially crafted BGP UPDATE message. The attacker capability is high, as the vulnerability can be exploited remotely, and the prerequisites are a GoBGP deployment that accepts BGP UPDATE messages from peers.
  • CVE-2026-41642 with a CVSS score of 7.5 - This vulnerability exists in GoBGP version 4.3.0, and allows an attacker to trigger a nil pointer dereference, by sending a malformed BGP UPDATE message containing an unrecognized Path Attribute marked as "Well-known." The attacker capability is high, as the vulnerability can be exploited remotely, and the prerequisites are a GoBGP deployment peering with external or internal speakers.

The exploitation of these vulnerabilities could have significant business consequences, including a complete loss of routing capabilities, which could result in service disruptions, revenue losses, and damage to reputation. It is essential for organizations that rely on GoBGP to take immediate action to mitigate these vulnerabilities and prevent potential attacks.

RECOMMENDATION:

  • We recommend you to update gobgp to version 4.4.0.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-8rxh-r2p6-7f2q
https://github.com/advisories/GHSA-7235-89m6-f4px

[/emaillocker]
crossmenu