{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-26514", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-04T15:39:12.164Z", "dateReserved": "2026-02-16T00:00:00.000Z", "datePublished": "2026-03-04T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-04T15:10:37.193Z"}, "descriptions": [{"lang": "en", "value": "An Argument Injection vulnerability exists in bird-lg-go before commit 6187a4e. The traceroute module uses shlex.Split to parse user input without validation, allowing remote attackers to inject arbitrary flags (e.g., -w, -q) via the q parameter. This can be exploited to cause a Denial of Service (DoS) by exhausting system resources."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/xddxdd/bird-lg-go/issues/136"}, {"url": "https://github.com/xddxdd/bird-lg-go/commit/6187a4e3afce6d8c29568f8c72ca497d1f5a2b56"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-88", "lang": "en", "description": "CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-04T15:38:24.892671Z", "id": "CVE-2026-26514", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-04T15:39:12.164Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-26514", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-04T15:38:24.892671Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-88", "description": "CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-04T15:36:54.868Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/xddxdd/bird-lg-go/issues/136"}, {"url": "https://github.com/xddxdd/bird-lg-go/commit/6187a4e3afce6d8c29568f8c72ca497d1f5a2b56"}], "descriptions": [{"lang": "en", "value": "An Argument Injection vulnerability exists in bird-lg-go before commit 6187a4e. The traceroute module uses shlex.Split to parse user input without validation, allowing remote attackers to inject arbitrary flags (e.g., -w, -q) via the q parameter. This can be exploited to cause a Denial of Service (DoS) by exhausting system resources."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-04T15:10:37.193Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26514", "state": "PUBLISHED", "dateUpdated": "2026-03-04T15:39:12.164Z", "dateReserved": "2026-02-16T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-04T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:xddxdd:bird-lg-go:*:*:*:*:*:go:*:*", "matchCriteriaId": "1F935CE4-EC4C-4F3F-B8A8-AD423C5AB755", "versionEndExcluding": "1.4.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An Argument Injection vulnerability exists in bird-lg-go before commit 6187a4e. The traceroute module uses shlex.Split to parse user input without validation, allowing remote attackers to inject arbitrary flags (e.g., -w, -q) via the q parameter. This can be exploited to cause a Denial of Service (DoS) by exhausting system resources."}], "id": "CVE-2026-26514", "lastModified": "2026-03-05T18:07:05.847", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-04T16:16:27.713", "references": [{"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/xddxdd/bird-lg-go/commit/6187a4e3afce6d8c29568f8c72ca497d1f5a2b56"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "url": "https://github.com/xddxdd/bird-lg-go/issues/136"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-88"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "6187a4e"}}], "enrichment": {"confidence": 85.0, "confidence_source": "inferred", "scores": [{"score": 85.0, "source": "inferred"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "bird-lg-go", "vendor": "xddxdd"}], "analysis": {"en": {"generated_at": "2026-04-16T13:48:14.159753+00:00", "value": {"mitigation_remediation": ["Upgrade bird\u2011lg\u2011go to a version built after commit 6187a4e which adds input validation to the traceroute module.", "For environments where immediate upgrade is not feasible, block or validate the q parameter to allow only whitelisted flags before the split operation.", "Configure resource limits for the traceroute process\u2014such as CPU or memory quotas, timeouts, and connection caps\u2014to mitigate potential exhaustion.", "Deploy monitoring to detect abnormal traceroute request patterns and alert on excessive resource usage."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service via Argument Injection"}, "threat_synthesis": {"affected_systems": "xddxdd:bird-lg-go is affected. The vulnerability applies to any instance of the project prior to the commit that introduces the input validation fix. Users should verify the commit hash of their installed version.", "description_and_impact": "The vulnerability is an Argument Injection flaw that exists in the traceroute module of bird\u2011lg\u2011go before a specific commit. The implementation uses shlex.Split without validating user input, enabling a remote attacker to embed arbitrary command flags such as -w or -q through the q parameter. This injection can lead to excessive consumption of system resources, resulting in a denial of service.", "risk_and_exploitability": "The CVSS score of 7.5 indicates a high severity, while the EPSS score of less than 1% suggests low but nonzero exploit probability. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit it remotely by sending a specially crafted request to the traceroute module, injecting flags that deplete system resources and trigger a service crash. The required components are the vulnerable software and network connectivity to the traceroute interface."}}}}, "created": "2026-03-05T09:08:53.346870+00:00", "title": "Argument Injection in Traceroute Module Allows Denial of Service", "updated": "2026-04-16T14:00:19.459875+00:00", "vendors": ["xddxdd", "xddxdd$PRODUCT$bird-lg-go"]}