https://feed.craftedsignal.io/tags/bgp/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioMon, 04 May 2026 07:16:01 +0000https://feed.craftedsignal.io/briefs/2026-05-gobgp-integer-underflow/Mon, 04 May 2026 07:16:01 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-gobgp-integer-underflow/osrg GoBGP up to version 4.3.0 is vulnerable to an integer underflow in the parseRibEntry function, potentially allowing a remote attacker to cause a denial of service or other unspecified impacts; version 4.4.0 addresses this issue.A vulnerability exists in osrg GoBGP, specifically in versions up to 4.3.0. The flaw is located within the parseRibEntry function of the pkg/packet/mrt/mrt.go file. This integer underflow vulnerability, identified as CVE-2026-7736, can be triggered remotely by an attacker who sends malicious or unexpected data to the affected function. Successful exploitation could lead to a denial-of-service condition or other unspecified consequences. Users are advised to upgrade to version 4.4.0, which contains the patch identified as 76d911046344a3923cbe573364197aa081944592, to mitigate the risk. The vulnerability poses a risk to network infrastructure relying on the BGP protocol, potentially impacting routing stability and availability.

Attack Chain

1. An attacker identifies a vulnerable GoBGP instance running a version prior to 4.4.0.
2. The attacker crafts a malicious MRT (Multi-Threaded Routing Toolkit) message.
3. The attacker sends the crafted MRT message to the vulnerable GoBGP instance. This is typically done over a TCP connection to the BGP port (179).
4. The parseRibEntry function processes the malicious MRT message.
5. Due to the integer underflow vulnerability, the parseRibEntry function calculates an incorrect value.
6. This incorrect value leads to unexpected behavior such as a crash or resource exhaustion.
7. The GoBGP process becomes unstable or terminates.
8. This disrupts BGP routing, potentially leading to a denial-of-service condition for network services that rely on BGP.

Impact

Successful exploitation of this vulnerability could allow a remote attacker to disrupt BGP routing, leading to a denial-of-service condition. The precise impact will depend on the specific network configuration and the role of the affected GoBGP instance. Systems relying on the BGP protocol for routing information could experience connectivity issues or routing instability. While the number of affected deployments is unknown, any organization utilizing GoBGP in their network infrastructure is potentially at risk.

Recommendation

• Upgrade to GoBGP version 4.4.0 or later to remediate the integer underflow vulnerability described in CVE-2026-7736.
• Monitor network traffic for unexpected MRT messages being sent to GoBGP instances using the Sigma rule provided below.
• Review and harden BGP configurations to limit exposure and potential attack surface.

]]>mediumadvisorycvevulnerabilityinteger underflowbgphttps://feed.craftedsignal.io/briefs/2026-05-gobgp-buffer-overflow/Mon, 04 May 2026 06:16:02 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-gobgp-buffer-overflow/A remote buffer overflow vulnerability exists in osrg GoBGP up to version 4.3.0 within the PathAttributeAigp.DecodeFromBytes function, allowing attackers to potentially execute arbitrary code by manipulating the AIGP Attribute Parser.A buffer overflow vulnerability has been identified in the osrg GoBGP software, specifically affecting versions up to 4.3.0. The vulnerability resides in the PathAttributeAigp.DecodeFromBytes function of the pkg/packet/bgp/bgp.go file, which is part of the AIGP Attribute Parser component. An attacker can remotely trigger this vulnerability by sending a crafted BGP message containing a malicious AIGP attribute. Successful exploitation could lead to arbitrary code execution on the affected system. GoBGP is an open source BGP implementation. Organizations using GoBGP for routing purposes should upgrade to version 4.4.0 or apply the provided patch (51ad1ada06cb41ce47b7066799981816f50b7ced) to mitigate this risk.

Attack Chain

1. Attacker identifies a GoBGP instance running a vulnerable version (<= 4.3.0).
2. Attacker crafts a malicious BGP update message containing a specially crafted AIGP attribute.
3. The crafted AIGP attribute is designed to trigger a buffer overflow in the PathAttributeAigp.DecodeFromBytes function.
4. The attacker sends the malicious BGP update message to the vulnerable GoBGP instance over TCP port 179.
5. The GoBGP instance receives the message and attempts to parse the AIGP attribute using the vulnerable function.
6. The PathAttributeAigp.DecodeFromBytes function fails to properly validate the size of the input data, leading to a buffer overflow.
7. The buffer overflow overwrites adjacent memory regions, potentially including critical program data or executable code.
8. The attacker leverages the memory corruption to execute arbitrary code on the GoBGP instance, gaining control of the system.

Impact

Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on the affected GoBGP instance. This can lead to a complete compromise of the routing infrastructure, allowing the attacker to intercept, modify, or disrupt network traffic. In service provider environments, this could affect a large number of customers and cause significant network outages. Given the CVSS v3.1 score of 7.3, this is considered a high-severity vulnerability.

Recommendation

• Upgrade to GoBGP version 4.4.0 to remediate the vulnerability as mentioned in the overview.
• Apply the patch 51ad1ada06cb41ce47b7066799981816f50b7ced to the affected component to mitigate the vulnerability if upgrading is not immediately possible.
• Monitor network traffic for BGP update messages with unusually large or malformed AIGP attributes, using a network intrusion detection system.
• Deploy the Sigma rule detecting connections to port 179 from unusual sources to identify potentially malicious hosts attempting to exploit the vulnerability.
• Review and harden BGP configuration to limit accepted peer connections to trusted sources only.

]]>highadvisorycve-2026-7735buffer-overflowbgphttps://feed.craftedsignal.io/briefs/2024-01-22-juniper-bgp-dos/Thu, 09 Apr 2026 22:16:29 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-22-juniper-bgp-dos/CVE-2026-33797 is an improper input validation vulnerability in Juniper Networks Junos OS and Junos OS Evolved that allows an unauthenticated adjacent attacker to reset established BGP sessions via a specific BGP packet, leading to a denial of service condition.CVE-2026-33797 is a vulnerability affecting Juniper Networks Junos OS and Junos OS Evolved versions 25.2 before 25.2R2 and 25.2-EVO before 25.2R2-EVO, respectively. It stems from improper input validation within the Border Gateway Protocol (BGP) handling. An unauthenticated, adjacent attacker can exploit this flaw by sending a crafted BGP packet to an already established BGP session. This malicious packet causes the targeted BGP session to reset, leading to a Denial of Service (DoS). Repeated transmission of the crafted packet can sustain the DoS condition. Both external BGP (eBGP) and internal BGP (iBGP) sessions are susceptible, and the vulnerability impacts both IPv4 and IPv6 network configurations. This vulnerability poses a risk to network stability and availability.

Attack Chain

1. Attacker identifies a vulnerable Juniper device running Junos OS or Junos OS Evolved versions 25.2 prior to 25.2R2 or 25.2-EVO prior to 25.2R2-EVO.
2. The attacker establishes network adjacency to the targeted device, allowing for direct BGP communication.
3. The attacker crafts a specific, but genuine, BGP packet designed to exploit the improper input validation vulnerability.
4. The attacker sends the crafted BGP packet to an already established BGP session on the target device.
5. Upon receiving the malicious packet, the vulnerable Junos OS or Junos OS Evolved instance improperly processes it.
6. Due to the input validation failure, the targeted BGP session is forcibly reset.
7. The attacker repeats the process of sending the crafted BGP packet to continuously reset the BGP session.
8. The repeated session resets cause a sustained Denial of Service (DoS), disrupting network routing and connectivity.

Impact

Successful exploitation of CVE-2026-33797 leads to a denial-of-service condition affecting BGP routing. By repeatedly sending crafted BGP packets, an attacker can disrupt network connectivity and stability. The impact is a loss of routing functionality for networks relying on the targeted BGP sessions. The number of potential victims is broad, including any organization using vulnerable versions of Junos OS or Junos OS Evolved. This can result in service outages, impaired communication, and potential financial losses.

Recommendation

• Upgrade Junos OS to version 25.2R2 or later to remediate CVE-2026-33797 (see references).
• Upgrade Junos OS Evolved to version 25.2R2-EVO or later to remediate CVE-2026-33797 (see references).
• Deploy the Sigma rule provided to detect unusual BGP reset activity in network traffic (see rules).
• Monitor network traffic for unexpected BGP session resets originating from adjacent networks.

]]>mediumadvisorycve-2026-33797denial-of-servicejuniperbgpnetworkhttps://feed.craftedsignal.io/briefs/2024-01-03-gobgp-dos/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-03-gobgp-dos/A remote Denial of Service (DoS) vulnerability exists in GoBGP version 4.2.0 and earlier, where a malformed BGP UPDATE message can trigger a runtime error (index out of range panic), crashing the GoBGP process. This occurs during the processing of 4-byte AS attributes when the message structure causes an internal slice index shift that is not properly handled. A single malicious peer or a malformed route propagated through a transit provider can consistently crash the BGP daemon, leading to a complete loss of routing capabilities.A remote Denial of Service vulnerability exists in GoBGP that can be triggered by a malformed BGP UPDATE message, specifically when handling 4-byte AS attributes. The vulnerability, identified as CVE-2026-41643, affects GoBGP version 4.2.0 and earlier. The attack involves sending a crafted BGP UPDATE message that causes an index-out-of-range panic in the UpdatePathAttrs4ByteAs function within internal/pkg/table/message.go. This panic results in the GoBGP process crashing, leading to a loss of routing capabilities. A malicious peer or a malformed route propagated through a transit provider can exploit this vulnerability to consistently crash the BGP daemon. This can disrupt network operations.

Attack Chain

1. Attacker establishes a BGP peering session with a vulnerable GoBGP instance (version 4.2.0 or earlier).
2. The attacker crafts a malicious BGP UPDATE message. This message contains both an AS_PATH (Type 2) and an AS4_PATH (Type 17) attribute.
3. The crafted message orders the attributes such that the AS4_PATH appears before the AS_PATH.
4. The AS4_PATH attribute is intentionally malformed to trigger a validation error.
5. The GoBGP process attempts to remove the invalid AS4_PATH attribute from the msg.PathAttributes slice in the UpdatePathAttrs4ByteAs function.
6. Removing the AS4_PATH causes subsequent attributes in the slice to shift left, altering their indices.
7. The function attempts to access the AS_PATH attribute using a stale index (asAttrPos) calculated before the slice modification.
8. Due to the index shift, accessing msg.PathAttributes[asAttrPos] results in an out-of-bounds access, triggering a panic and crashing the GoBGP process, causing a denial of service.

Impact

The vulnerability leads to a remote Denial of Service (DoS) condition. Any GoBGP deployment (v4.2.0 and earlier) that accepts BGP UPDATE messages from peers is vulnerable. A single malicious peer or a malformed route propagated through a transit provider can consistently crash the BGP daemon. This results in a complete loss of routing capabilities, disrupting network services, and causing potential outages.

Recommendation

• Upgrade GoBGP to a patched version that addresses CVE-2026-41643.
• Monitor BGP UPDATE messages for malformed AS4_PATH attributes (Type 17) appearing before AS_PATH attributes (Type 2) using a network intrusion detection system.
• Implement rate limiting on BGP UPDATE messages from untrusted peers to mitigate the impact of a DoS attack.

]]>mediumadvisorydenial of servicebgpnetworkhttps://feed.craftedsignal.io/briefs/2024-01-gobgp-dos/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-gobgp-dos/A denial-of-service vulnerability exists in GoBGP version 4.3.0 where a malformed BGP UPDATE message containing an unrecognized Well-known Path Attribute triggers a nil pointer dereference, causing the BGP daemon to crash.GoBGP version 4.3.0 is susceptible to a denial-of-service (DoS) vulnerability triggered by malformed BGP UPDATE messages. Specifically, when GoBGP receives an UPDATE message containing an unrecognized Path Attribute marked as “Well-known” (Optional bit set to 0), the daemon fails to properly handle the error. This leads to a nil pointer dereference, resulting in a panic and subsequent crash of the entire GoBGP process. This vulnerability, disclosed in GHSA-7235-89m6-f4px, can be exploited by any BGP peer, internal or external, sending such a malformed message. This poses a significant risk to network stability as it can disrupt BGP routing and connectivity.

Attack Chain

1. An attacker establishes a standard BGP session with the targeted GoBGP instance, completing the OPEN/KEEPALIVE exchange.
2. The attacker crafts a malicious BGP UPDATE message.
3. This UPDATE message includes a Path Attribute with the Optional bit set to 0 (Well-known).
4. The Path Attribute Type Code is set to an unrecognized value (e.g., 0xEE or 0xFF).
5. The parsing logic in GoBGP identifies the unrecognized Well-known attribute.
6. The recvMessageloop function in pkg/server/fsm.go fails to halt execution after identifying the malformed attribute.
7. The code attempts to dereference a nil pointer associated with the invalid message body.
8. This results in a “panic: runtime error: invalid memory address or nil pointer dereference”, causing the GoBGP daemon to crash, disrupting BGP routing.

Impact

The vulnerability allows a remote attacker to cause a denial-of-service condition on GoBGP deployments. A single malformed UPDATE message is sufficient to trigger the crash, affecting all GoBGP instances peering with potentially malicious or compromised BGP speakers. This can lead to routing instability, network outages, and potential data plane disruptions. The affected version, 4.3.0, may be widely deployed in various network environments, making it a significant concern for network operators.

Recommendation

• Deploy the Sigma rule Detect GoBGP Malformed BGP Update to identify crafted BGP UPDATE messages containing unrecognized Well-known Path Attributes via network traffic analysis.
• Monitor BGP peer sessions for unexpected disconnects or restarts, which may indicate exploitation of this vulnerability.
• Consider implementing BGP route filtering and validation mechanisms to mitigate the impact of malformed or malicious UPDATE messages.

]]>mediumadvisorygobgpdosbgprouting