CVE-2026-5124 is a security vulnerability found in the open-source GoBGP project maintained by osrg, affecting versions 4.0 through 4.3.0. The issue resides in the BGPHeader.DecodeFromBytes function within the BGP Header Handler component (pkg/packet/bgp/bgp.go). This function is responsible for decoding BGP message headers from raw bytes. Due to improper access control checks during this decoding process, an attacker can remotely exploit the vulnerability to bypass intended access restrictions. The vulnerability does not require authentication or user interaction, and the attacker can send specially crafted BGP packets to trigger the flaw. However, the attack complexity is high, making exploitation difficult. The impact primarily concerns the confidentiality and integrity of BGP routing information, potentially allowing unauthorized manipulation or disclosure of routing data. No impact on availability or system control is indicated. The vulnerability has a CVSS 4.0 base score of 6.3, reflecting medium severity. A patch has been released (commit f0f24a2a901cbf159260698211ab15c583ced131) to correct the access control logic in the decoding function. No known exploits have been observed in the wild to date. Given the critical role of BGP in internet routing, this vulnerability poses a risk to network infrastructure relying on GoBGP for BGP routing operations.

The vulnerability could allow remote attackers to bypass access controls in the BGP Header Handler, potentially leading to unauthorized access or manipulation of BGP routing information. This could undermine the confidentiality and integrity of routing data, possibly enabling route hijacking, interception, or traffic redirection. While the attack complexity is high and no known exploits exist, successful exploitation could disrupt trust in routing protocols and impact network security. Organizations relying on GoBGP for BGP routing, especially those managing large-scale or critical network infrastructure, may face increased risk of targeted attacks aiming to manipulate routing tables or intercept traffic. The lack of required privileges or user interaction lowers the barrier for remote exploitation, although the complexity remains a mitigating factor. The vulnerability does not directly affect system availability or control plane stability but could indirectly cause routing anomalies or degraded network performance if exploited.

1. Immediately apply the official patch identified by commit f0f24a2a901cbf159260698211ab15c583ced131 to all affected GoBGP instances. 2. Implement strict network segmentation and filtering to limit exposure of BGP ports (typically TCP 179) to trusted peers only, reducing the attack surface. 3. Employ BGP session authentication mechanisms such as TCP MD5 signatures or TCP-AO to prevent unauthorized BGP session establishment. 4. Monitor BGP session logs and routing updates for anomalies indicative of exploitation attempts or unauthorized access. 5. Use network intrusion detection systems (NIDS) with signatures tailored to detect malformed BGP packets targeting the DecodeFromBytes function. 6. Regularly update GoBGP and related network software to incorporate security patches and improvements. 7. Conduct periodic security audits and penetration tests focused on BGP infrastructure to identify and remediate potential weaknesses. 8. Establish incident response procedures specifically for BGP routing incidents to quickly mitigate any exploitation impact.