CVE-2026-5122 affects the osrg GoBGP project, a widely used open-source BGP (Border Gateway Protocol) implementation, up to version 4.3.0. The vulnerability exists in the DecodeFromBytes function within the pkg/packet/bgp/bgp.go file, which handles BGP OPEN messages. The flaw is due to improper access controls triggered by manipulation of the domainNameLen argument, which is used during the decoding process of BGP OPEN messages. This improper validation can lead to unauthorized access or influence over the BGP session establishment process. Since BGP is critical for internet routing, any flaw in its handling can have significant network implications. The vulnerability can be exploited remotely without requiring authentication or user interaction, but the attack complexity is high, making exploitation difficult. The CVSS 4.0 base score is 6.3 (medium severity), reflecting network attack vector, high attack complexity, no privileges required, no user interaction, and limited impact on integrity. No known exploits have been reported in the wild, but the availability of a patch (commit 2b09db390a3d455808363c53e409afe6b1b86d2d) indicates the issue has been addressed by the vendor. Organizations running affected GoBGP versions should prioritize patching to prevent potential exploitation.

The vulnerability impacts the confidentiality and integrity of BGP sessions managed by GoBGP. Successful exploitation could allow attackers to manipulate BGP OPEN message processing, potentially leading to unauthorized access or disruption of BGP session establishment. This could result in routing instability, traffic interception, or denial of service in networks relying on GoBGP for routing. Given BGP's role in internet backbone routing and enterprise networks, exploitation could affect network availability and trustworthiness. However, the high complexity and lack of known exploits reduce immediate risk. Organizations operating critical infrastructure or large-scale networks using GoBGP are at higher risk, as exploitation could impact network routing and connectivity on a broader scale.

Apply the official patch identified by commit 2b09db390a3d455808363c53e409afe6b1b86d2d immediately to all affected GoBGP instances (versions 4.0 through 4.3.0). In addition, network administrators should: 1) Restrict BGP session establishment to trusted peers only, using access control lists and firewall rules to limit exposure. 2) Monitor BGP session logs for unusual OPEN message activity or anomalies in domainNameLen values. 3) Employ network segmentation to isolate BGP routers from untrusted networks. 4) Use BGP session authentication mechanisms such as TCP MD5 signatures or TCP-AO to reduce risk of unauthorized session manipulation. 5) Regularly update and audit GoBGP deployments to ensure no outdated versions remain. 6) Implement anomaly detection systems focused on BGP traffic to identify potential exploitation attempts early.