{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/osrg/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7736"}],"_cs_exploited":false,"_cs_products":["GoBGP (\u003c= 4.3.0)"],"_cs_severities":["medium"],"_cs_tags":["cve","vulnerability","integer underflow","bgp"],"_cs_type":"advisory","_cs_vendors":["osrg"],"content_html":"\u003cp\u003eA vulnerability exists in osrg GoBGP, specifically in versions up to 4.3.0. The flaw is located within the \u003ccode\u003eparseRibEntry\u003c/code\u003e function of the \u003ccode\u003epkg/packet/mrt/mrt.go\u003c/code\u003e file. This integer underflow vulnerability, identified as CVE-2026-7736, can be triggered remotely by an attacker who sends malicious or unexpected data to the affected function. Successful exploitation could lead to a denial-of-service condition or other unspecified consequences. Users are advised to upgrade to version 4.4.0, which contains the patch identified as 76d911046344a3923cbe573364197aa081944592, to mitigate the risk. The vulnerability poses a risk to network infrastructure relying on the BGP protocol, potentially impacting routing stability and availability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable GoBGP instance running a version prior to 4.4.0.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious MRT (Multi-Threaded Routing Toolkit) message.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted MRT message to the vulnerable GoBGP instance. This is typically done over a TCP connection to the BGP port (179).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eparseRibEntry\u003c/code\u003e function processes the malicious MRT message.\u003c/li\u003e\n\u003cli\u003eDue to the integer underflow vulnerability, the \u003ccode\u003eparseRibEntry\u003c/code\u003e function calculates an incorrect value.\u003c/li\u003e\n\u003cli\u003eThis incorrect value leads to unexpected behavior such as a crash or resource exhaustion.\u003c/li\u003e\n\u003cli\u003eThe GoBGP process becomes unstable or terminates.\u003c/li\u003e\n\u003cli\u003eThis disrupts BGP routing, potentially leading to a denial-of-service condition for network services that rely on BGP.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability could allow a remote attacker to disrupt BGP routing, leading to a denial-of-service condition. The precise impact will depend on the specific network configuration and the role of the affected GoBGP instance. Systems relying on the BGP protocol for routing information could experience connectivity issues or routing instability. While the number of affected deployments is unknown, any organization utilizing GoBGP in their network infrastructure is potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to GoBGP version 4.4.0 or later to remediate the integer underflow vulnerability described in CVE-2026-7736.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unexpected MRT messages being sent to GoBGP instances using the Sigma rule provided below.\u003c/li\u003e\n\u003cli\u003eReview and harden BGP configurations to limit exposure and potential attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T07:16:01Z","date_published":"2026-05-04T07:16:01Z","id":"/briefs/2026-05-gobgp-integer-underflow/","summary":"osrg GoBGP up to version 4.3.0 is vulnerable to an integer underflow in the parseRibEntry function, potentially allowing a remote attacker to cause a denial of service or other unspecified impacts; version 4.4.0 addresses this issue.","title":"osrg GoBGP Integer Underflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-gobgp-integer-underflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7735"}],"_cs_exploited":false,"_cs_products":["GoBGP (\u003c= 4.3.0)"],"_cs_severities":["high"],"_cs_tags":["cve-2026-7735","buffer-overflow","bgp"],"_cs_type":"advisory","_cs_vendors":["osrg"],"content_html":"\u003cp\u003eA buffer overflow vulnerability has been identified in the osrg GoBGP software, specifically affecting versions up to 4.3.0. The vulnerability resides in the \u003ccode\u003ePathAttributeAigp.DecodeFromBytes\u003c/code\u003e function of the \u003ccode\u003epkg/packet/bgp/bgp.go\u003c/code\u003e file, which is part of the AIGP Attribute Parser component. An attacker can remotely trigger this vulnerability by sending a crafted BGP message containing a malicious AIGP attribute. Successful exploitation could lead to arbitrary code execution on the affected system. GoBGP is an open source BGP implementation. Organizations using GoBGP for routing purposes should upgrade to version 4.4.0 or apply the provided patch (51ad1ada06cb41ce47b7066799981816f50b7ced) to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a GoBGP instance running a vulnerable version (\u0026lt;= 4.3.0).\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious BGP update message containing a specially crafted AIGP attribute.\u003c/li\u003e\n\u003cli\u003eThe crafted AIGP attribute is designed to trigger a buffer overflow in the \u003ccode\u003ePathAttributeAigp.DecodeFromBytes\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the malicious BGP update message to the vulnerable GoBGP instance over TCP port 179.\u003c/li\u003e\n\u003cli\u003eThe GoBGP instance receives the message and attempts to parse the AIGP attribute using the vulnerable function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ePathAttributeAigp.DecodeFromBytes\u003c/code\u003e function fails to properly validate the size of the input data, leading to a buffer overflow.\u003c/li\u003e\n\u003cli\u003eThe buffer overflow overwrites adjacent memory regions, potentially including critical program data or executable code.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the memory corruption to execute arbitrary code on the GoBGP instance, gaining control of the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on the affected GoBGP instance. This can lead to a complete compromise of the routing infrastructure, allowing the attacker to intercept, modify, or disrupt network traffic. In service provider environments, this could affect a large number of customers and cause significant network outages. Given the CVSS v3.1 score of 7.3, this is considered a high-severity vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to GoBGP version 4.4.0 to remediate the vulnerability as mentioned in the overview.\u003c/li\u003e\n\u003cli\u003eApply the patch \u003ccode\u003e51ad1ada06cb41ce47b7066799981816f50b7ced\u003c/code\u003e to the affected component to mitigate the vulnerability if upgrading is not immediately possible.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for BGP update messages with unusually large or malformed AIGP attributes, using a network intrusion detection system.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule detecting connections to port 179 from unusual sources to identify potentially malicious hosts attempting to exploit the vulnerability.\u003c/li\u003e\n\u003cli\u003eReview and harden BGP configuration to limit accepted peer connections to trusted sources only.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T06:16:02Z","date_published":"2026-05-04T06:16:02Z","id":"/briefs/2026-05-gobgp-buffer-overflow/","summary":"A remote buffer overflow vulnerability exists in osrg GoBGP up to version 4.3.0 within the PathAttributeAigp.DecodeFromBytes function, allowing attackers to potentially execute arbitrary code by manipulating the AIGP Attribute Parser.","title":"GoBGP AIGP Attribute Parser Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-gobgp-buffer-overflow/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["GoBGP"],"_cs_severities":["medium"],"_cs_tags":["denial of service","bgp","network"],"_cs_type":"advisory","_cs_vendors":["osrg"],"content_html":"\u003cp\u003eA remote Denial of Service vulnerability exists in GoBGP that can be triggered by a malformed BGP UPDATE message, specifically when handling 4-byte AS attributes. The vulnerability, identified as CVE-2026-41643, affects GoBGP version 4.2.0 and earlier. The attack involves sending a crafted BGP UPDATE message that causes an index-out-of-range panic in the \u003ccode\u003eUpdatePathAttrs4ByteAs\u003c/code\u003e function within \u003ccode\u003einternal/pkg/table/message.go\u003c/code\u003e. This panic results in the GoBGP process crashing, leading to a loss of routing capabilities. A malicious peer or a malformed route propagated through a transit provider can exploit this vulnerability to consistently crash the BGP daemon. This can disrupt network operations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker establishes a BGP peering session with a vulnerable GoBGP instance (version 4.2.0 or earlier).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious BGP UPDATE message. This message contains both an AS_PATH (Type 2) and an AS4_PATH (Type 17) attribute.\u003c/li\u003e\n\u003cli\u003eThe crafted message orders the attributes such that the AS4_PATH appears before the AS_PATH.\u003c/li\u003e\n\u003cli\u003eThe AS4_PATH attribute is intentionally malformed to trigger a validation error.\u003c/li\u003e\n\u003cli\u003eThe GoBGP process attempts to remove the invalid AS4_PATH attribute from the \u003ccode\u003emsg.PathAttributes\u003c/code\u003e slice in the \u003ccode\u003eUpdatePathAttrs4ByteAs\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eRemoving the AS4_PATH causes subsequent attributes in the slice to shift left, altering their indices.\u003c/li\u003e\n\u003cli\u003eThe function attempts to access the AS_PATH attribute using a stale index (asAttrPos) calculated before the slice modification.\u003c/li\u003e\n\u003cli\u003eDue to the index shift, accessing \u003ccode\u003emsg.PathAttributes[asAttrPos]\u003c/code\u003e results in an out-of-bounds access, triggering a panic and crashing the GoBGP process, causing a denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability leads to a remote Denial of Service (DoS) condition. Any GoBGP deployment (v4.2.0 and earlier) that accepts BGP UPDATE messages from peers is vulnerable. A single malicious peer or a malformed route propagated through a transit provider can consistently crash the BGP daemon. This results in a complete loss of routing capabilities, disrupting network services, and causing potential outages.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade GoBGP to a patched version that addresses CVE-2026-41643.\u003c/li\u003e\n\u003cli\u003eMonitor BGP UPDATE messages for malformed AS4_PATH attributes (Type 17) appearing before AS_PATH attributes (Type 2) using a network intrusion detection system.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on BGP UPDATE messages from untrusted peers to mitigate the impact of a DoS attack.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-gobgp-dos/","summary":"A remote Denial of Service (DoS) vulnerability exists in GoBGP version 4.2.0 and earlier, where a malformed BGP UPDATE message can trigger a runtime error (index out of range panic), crashing the GoBGP process. This occurs during the processing of 4-byte AS attributes when the message structure causes an internal slice index shift that is not properly handled. A single malicious peer or a malformed route propagated through a transit provider can consistently crash the BGP daemon, leading to a complete loss of routing capabilities.","title":"GoBGP Remote Denial of Service via Malformed BGP UPDATE Message","url":"https://feed.craftedsignal.io/briefs/2024-01-03-gobgp-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Osrg","version":"https://jsonfeed.org/version/1.1"}