{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-30405", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-17T15:24:03.136Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-03-16T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-16T16:16:12.457Z"}, "descriptions": [{"lang": "en", "value": "An issue in GoBGP gobgpd v.4.2.0 allows a remote attacker to cause a denial of service via the NEXT_HOP path attribute"}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/osrg/gobgp/issues/3305"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-400", "lang": "en", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-17T15:23:36.603358Z", "id": "CVE-2026-30405", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T15:24:03.136Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-30405", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-17T15:23:36.603358Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T15:23:59.148Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/osrg/gobgp/issues/3305"}], "descriptions": [{"lang": "en", "value": "An issue in GoBGP gobgpd v.4.2.0 allows a remote attacker to cause a denial of service via the NEXT_HOP path attribute"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-16T16:16:12.457Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30405", "state": "PUBLISHED", "dateUpdated": "2026-03-17T15:24:03.136Z", "dateReserved": "2026-03-04T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-16T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:osrg:gobgp:4.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "EA49849E-8D31-4BF0-B76D-CA8C4329D378", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue in GoBGP gobgpd v.4.2.0 allows a remote attacker to cause a denial of service via the NEXT_HOP path attribute"}, {"lang": "es", "value": "Un problema en GoBGP gobgpd v.4.2.0 permite a un atacante remoto causar una denegaci\u00f3n de servicio a trav\u00e9s del atributo de ruta NEXT_HOP."}], "id": "CVE-2026-30405", "lastModified": "2026-04-07T01:04:23.733", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-16T17:16:29.790", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "url": "https://github.com/osrg/gobgp/issues/3305"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "4.2.0"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 95.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "gobgp", "vendor": "osrg"}], "analysis": {"en": {"generated_at": "2026-04-07T10:23:24.691848+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest GoBGP release that resolves the NEXT_HOP attribute handling issue.", "If an immediate upgrade is not possible, restrict or block incoming BGP UPDATE messages from untrusted peers until a patch is applied.", "Continuously monitor BGP session logs and system resource usage for sudden spikes that may indicate a denial\u2011of\u2011service event."], "summary": {"action": "Apply Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "Affected systems are instances of the OSRG GoBGP distribution running exactly version 4.2.0. Any machine that accepts external BGP updates from peers not fully trusted is susceptible; no other GoBGP versions are known to be impacted.", "description_and_impact": "The vulnerability in GoBGP version 4.2.0 allows a remote attacker to cause a denial of service by manipulating the NEXT_HOP path attribute in BGP UPDATE messages. This flaw triggers resource exhaustion, disrupting normal routing operations and potentially rendering affected routers inoperative. The weakness is classified as a resource exhaustion vulnerability (CWE-400). The CVE description states the impact but does not explicitly describe the attack vector; it is inferred that the attacker would need to send a crafted BGP UPDATE containing a malformed NEXT_HOP attribute.", "risk_and_exploitability": "The CVSS score of 7.5 indicates high severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation in the near term. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. It is inferred that exploitation requires establishing a BGP session with the vulnerable daemon and sending a specifically crafted UPDATE message, which may be limited to environments that receive BGP traffic from untrusted sources. If exploited, the outage could affect network reachability for all routes processed by the affected instance."}}}}, "created": "2026-03-17T09:55:30.524372+00:00", "updated": "2026-04-08T20:02:32.580486+00:00", "vendors": ["osrg", "osrg$PRODUCT$gobgp"]}