An integer underflow exists in the BGPUpdate.DecodeFromBytes function within gobgp v4.3.0, located in the /bgp/bgp.go source file. This vulnerability can be triggered by an attacker supplying a crafted BGP UPDATE message, resulting in a Denial of Service condition. The vulnerability was published on June 3, 2026, but no patch or official remediation details are currently available. The vulnerability affects the open-source BGP implementation gobgp and is not related to any cloud service. No exploits have been observed in the wild to date.

Successful exploitation of this vulnerability allows an attacker to cause a Denial of Service (DoS) on systems running vulnerable versions of gobgp by sending malicious BGP UPDATE messages. This could disrupt network routing processes relying on gobgp, potentially impacting network availability. There is no evidence of privilege escalation, data disclosure, or code execution from the provided information.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider restricting or filtering BGP UPDATE messages from untrusted sources to reduce exposure. Monitor vendor channels for updates regarding patches or workarounds.