CVE-2026-41642

HIGH NVD

CVSS Score 7.5

Severity HIGH

Published May 07, 2026

Vendor unknown

Description

GoBGP is an open source Border Gateway Protocol (BGP) implementation in the Go Programming Language. In version 4.3.0, a remote Denial of Service (DoS) vulnerability exists in GoBGP due to a nil pointer dereference. When a malformed BGP UPDATE message contains an unrecognized Path Attribute marked as "Well-known," the daemon fails to interrupt the message handling flow. This results in an illegal memory access and a full process crash (panic). This issue has been patched in version 4.4.0.

References

https://github.com/osrg/gobgp/releases/tag/v4.4.0
https://github.com/osrg/gobgp/security/advisories/GHSA-7235-89m6-f4px