CVE-2026-5123 is a medium-severity off-by-one vulnerability found in the osrg GoBGP project, specifically affecting versions 4.0 through 4.3.0. The vulnerability exists in the DecodeFromBytes function located in the pkg/packet/bgp/bgp.go source file. It is triggered by manipulation of the second byte (data[1]) of the input data, which causes an off-by-one error during packet decoding. This type of error can lead to memory corruption, potentially allowing an attacker to alter the program’s execution flow or cause unexpected behavior. The vulnerability can be exploited remotely without requiring authentication or user interaction, but the complexity of crafting a successful exploit is high due to the precise nature of the off-by-one condition and the internal workings of the BGP protocol parsing. The impact primarily concerns the integrity of the GoBGP daemon, which is a widely used open-source BGP implementation for routing in large-scale networks. The vulnerability does not directly compromise confidentiality or availability but could be leveraged as part of a broader attack chain. The patch identified by commit 67c059413470df64bc20801c46f64058e88f800f corrects the boundary check to prevent the off-by-one condition. No known active exploits have been reported, but the presence of this flaw in critical routing software necessitates prompt remediation to prevent potential future attacks.

The primary impact of CVE-2026-5123 is on the integrity of network routing infrastructure that relies on GoBGP. Successful exploitation could lead to memory corruption within the GoBGP process, potentially allowing attackers to execute arbitrary code or cause denial of service through process crashes. Given GoBGP’s role in managing Border Gateway Protocol (BGP) sessions, exploitation could disrupt routing decisions or enable malicious route injection if combined with other vulnerabilities or misconfigurations. This could affect the stability and reliability of internet routing for affected organizations, leading to network outages or traffic interception. Although exploitation is complex and no active exploits are known, the widespread use of GoBGP in ISPs, cloud providers, and large enterprises means the potential impact is significant if attackers develop reliable exploits. The vulnerability does not require authentication, increasing the attack surface, but the high complexity reduces immediate risk. Organizations that do not patch may face increased risk of targeted attacks aiming to disrupt or manipulate BGP routing.

To mitigate CVE-2026-5123, organizations should immediately apply the official patch identified by commit 67c059413470df64bc20801c46f64058e88f800f to all affected GoBGP versions (4.0 through 4.3.0). Network administrators should verify the GoBGP version in use and upgrade to a patched release or rebuild from source including the fix. Additionally, implement strict network segmentation and access controls to limit exposure of BGP daemons to untrusted networks, reducing the attack surface. Employ monitoring and anomaly detection on BGP session behavior to identify unusual routing updates or crashes that could indicate exploitation attempts. Regularly audit and update routing software dependencies and maintain an incident response plan for routing infrastructure compromise. Consider deploying BGP session authentication mechanisms such as TCP MD5 signatures or BGP TTL security to further harden BGP sessions. Finally, maintain up-to-date threat intelligence feeds to stay informed of any emerging exploits targeting this vulnerability.