Skip to content
Threat Feed
medium advisory

osrg GoBGP Integer Underflow Vulnerability

osrg GoBGP up to version 4.3.0 is vulnerable to an integer underflow in the parseRibEntry function, potentially allowing a remote attacker to cause a denial of service or other unspecified impacts; version 4.4.0 addresses this issue.

A vulnerability exists in osrg GoBGP, specifically in versions up to 4.3.0. The flaw is located within the parseRibEntry function of the pkg/packet/mrt/mrt.go file. This integer underflow vulnerability, identified as CVE-2026-7736, can be triggered remotely by an attacker who sends malicious or unexpected data to the affected function. Successful exploitation could lead to a denial-of-service condition or other unspecified consequences. Users are advised to upgrade to version 4.4.0, which contains the patch identified as 76d911046344a3923cbe573364197aa081944592, to mitigate the risk. The vulnerability poses a risk to network infrastructure relying on the BGP protocol, potentially impacting routing stability and availability.

Attack Chain

  1. An attacker identifies a vulnerable GoBGP instance running a version prior to 4.4.0.
  2. The attacker crafts a malicious MRT (Multi-Threaded Routing Toolkit) message.
  3. The attacker sends the crafted MRT message to the vulnerable GoBGP instance. This is typically done over a TCP connection to the BGP port (179).
  4. The parseRibEntry function processes the malicious MRT message.
  5. Due to the integer underflow vulnerability, the parseRibEntry function calculates an incorrect value.
  6. This incorrect value leads to unexpected behavior such as a crash or resource exhaustion.
  7. The GoBGP process becomes unstable or terminates.
  8. This disrupts BGP routing, potentially leading to a denial-of-service condition for network services that rely on BGP.

Impact

Successful exploitation of this vulnerability could allow a remote attacker to disrupt BGP routing, leading to a denial-of-service condition. The precise impact will depend on the specific network configuration and the role of the affected GoBGP instance. Systems relying on the BGP protocol for routing information could experience connectivity issues or routing instability. While the number of affected deployments is unknown, any organization utilizing GoBGP in their network infrastructure is potentially at risk.

Recommendation

  • Upgrade to GoBGP version 4.4.0 or later to remediate the integer underflow vulnerability described in CVE-2026-7736.
  • Monitor network traffic for unexpected MRT messages being sent to GoBGP instances using the Sigma rule provided below.
  • Review and harden BGP configurations to limit exposure and potential attack surface.

Detection coverage 2

Detect Potentially Malicious MRT Messages to GoBGP

low

Detects network connections to the BGP port (179) that might carry malicious MRT messages targeting GoBGP instances.

sigma tactics: initial_access techniques: T1595 sources: network_connection, linux

Detect GoBGP Process Crash

medium

Detects when GoBGP process crashes indicating a possible vulnerability exploitation.

sigma tactics: availability techniques: T1485 sources: process_creation, linux

Detection queries are kept inside the platform. Get full rules →