CVE-2026-5123: Off-by-One in osrg GoBGP
A weakness has been identified in osrg GoBGP up to 4.3.0. This impacts the function DecodeFromBytes of the file pkg/packet/bgp/bgp.go. Executing a manipulation of the argument data[1] can lead to off-by-one. The attack may be launched remotely. Attacks of this nature are highly complex. The exploitability is said to be difficult. This patch is called 67c059413470df64bc20801c46f64058e88f800f. A patch should be applied to remediate this issue.
AI Analysis
Technical Summary
An off-by-one vulnerability exists in osrg GoBGP up to version 4.3.0 in the DecodeFromBytes function of the pkg/packet/bgp/bgp.go file. Manipulating the data[1] argument can trigger this off-by-one error. The vulnerability is remotely exploitable but requires a high level of complexity to successfully exploit. The issue has been addressed by a patch identified by commit 67c059413470df64bc20801c46f64058e88f800f. The CVSS 4.0 score of 6.3 reflects a medium severity impact with network attack vector and high attack complexity.
Potential Impact
Successful exploitation could lead to an off-by-one error in the processing of BGP packets, potentially causing memory corruption or unexpected behavior in GoBGP. However, the attack complexity is high, and no privileges, user interaction, or vulnerabilities in confidentiality, integrity, or availability have been explicitly reported. No known active exploits have been observed.
Mitigation Recommendations
A patch is available for this vulnerability, identified by commit 67c059413470df64bc20801c46f64058e88f800f. Users of osrg GoBGP versions 4.0 through 4.3.0 should apply this patch to remediate the issue. No alternative mitigations or vendor advisory details are provided, so applying the official patch is the recommended course of action.
CVE-2026-5123: Off-by-One in osrg GoBGP
Description
A weakness has been identified in osrg GoBGP up to 4.3.0. This impacts the function DecodeFromBytes of the file pkg/packet/bgp/bgp.go. Executing a manipulation of the argument data[1] can lead to off-by-one. The attack may be launched remotely. Attacks of this nature are highly complex. The exploitability is said to be difficult. This patch is called 67c059413470df64bc20801c46f64058e88f800f. A patch should be applied to remediate this issue.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
An off-by-one vulnerability exists in osrg GoBGP up to version 4.3.0 in the DecodeFromBytes function of the pkg/packet/bgp/bgp.go file. Manipulating the data[1] argument can trigger this off-by-one error. The vulnerability is remotely exploitable but requires a high level of complexity to successfully exploit. The issue has been addressed by a patch identified by commit 67c059413470df64bc20801c46f64058e88f800f. The CVSS 4.0 score of 6.3 reflects a medium severity impact with network attack vector and high attack complexity.
Potential Impact
Successful exploitation could lead to an off-by-one error in the processing of BGP packets, potentially causing memory corruption or unexpected behavior in GoBGP. However, the attack complexity is high, and no privileges, user interaction, or vulnerabilities in confidentiality, integrity, or availability have been explicitly reported. No known active exploits have been observed.
Mitigation Recommendations
A patch is available for this vulnerability, identified by commit 67c059413470df64bc20801c46f64058e88f800f. Users of osrg GoBGP versions 4.0 through 4.3.0 should apply this patch to remediate the issue. No alternative mitigations or vendor advisory details are provided, so applying the official patch is the recommended course of action.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2026-03-30T07:50:35.204Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69ca9c6fe6bfc5ba1d4725b4
Added to database: 3/30/2026, 3:53:19 PM
Last enriched: 4/7/2026, 6:44:54 AM
Last updated: 5/15/2026, 10:56:33 AM
Views: 78
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.