{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5123", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-30T07:50:35.204Z", "datePublished": "2026-03-30T15:15:14.229Z", "dateUpdated": "2026-04-01T18:10:27.344Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-30T15:15:14.229Z"}, "title": "osrg GoBGP bgp.go DecodeFromBytes off-by-one", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-193", "lang": "en", "description": "Off-by-One"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-189", "lang": "en", "description": "Numeric Error"}]}], "affected": [{"vendor": "osrg", "product": "GoBGP", "versions": [{"version": "4.0", "status": "affected"}, {"version": "4.1", "status": "affected"}, {"version": "4.2", "status": "affected"}, {"version": "4.3.0", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A weakness has been identified in osrg GoBGP up to 4.3.0. This impacts the function DecodeFromBytes of the file pkg/packet/bgp/bgp.go. Executing a manipulation of the argument data[1] can lead to off-by-one. The attack may be launched remotely. Attacks of this nature are highly complex. The exploitability is said to be difficult. This patch is called 67c059413470df64bc20801c46f64058e88f800f. A patch should be applied to remediate this issue."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.3, "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.7, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P/E:ND/RL:OF/RC:C"}}], "timeline": [{"time": "2026-03-30T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-30T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-30T09:55:43.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Sunxj (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/vuln/354155", "name": "VDB-354155 | osrg GoBGP bgp.go DecodeFromBytes off-by-one", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/354155/cti", "name": "VDB-354155 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/780179", "name": "Submit #780179 | osrg GoBGP 4.3.0 Off-by-one Error", "tags": ["third-party-advisory"]}, {"url": "https://github.com/osrg/gobgp/pull/3342", "tags": ["issue-tracking", "patch"]}, {"url": "https://github.com/osrg/gobgp/commit/67c059413470df64bc20801c46f64058e88f800f", "tags": ["patch"]}, {"url": "https://github.com/osrg/gobgp/", "tags": ["product"]}], "tags": ["x_open-source"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T18:10:08.172425Z", "id": "CVE-2026-5123", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T18:10:27.344Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5123", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-30T07:50:35.204Z", "datePublished": "2026-03-30T15:15:14.229Z", "dateUpdated": "2026-04-01T18:10:27.344Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-30T15:15:14.229Z"}, "title": "osrg GoBGP bgp.go DecodeFromBytes off-by-one", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-193", "lang": "en", "description": "Off-by-One"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-189", "lang": "en", "description": "Numeric Error"}]}], "affected": [{"vendor": "osrg", "product": "GoBGP", "versions": [{"version": "4.0", "status": "affected"}, {"version": "4.1", "status": "affected"}, {"version": "4.2", "status": "affected"}, {"version": "4.3.0", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A weakness has been identified in osrg GoBGP up to 4.3.0. This impacts the function DecodeFromBytes of the file pkg/packet/bgp/bgp.go. Executing a manipulation of the argument data[1] can lead to off-by-one. The attack may be launched remotely. Attacks of this nature are highly complex. The exploitability is said to be difficult. This patch is called 67c059413470df64bc20801c46f64058e88f800f. A patch should be applied to remediate this issue."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.3, "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.7, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P/E:ND/RL:OF/RC:C"}}], "timeline": [{"time": "2026-03-30T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-30T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-30T09:55:43.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Sunxj (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/vuln/354155", "name": "VDB-354155 | osrg GoBGP bgp.go DecodeFromBytes off-by-one", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/354155/cti", "name": "VDB-354155 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/780179", "name": "Submit #780179 | osrg GoBGP 4.3.0 Off-by-one Error", "tags": ["third-party-advisory"]}, {"url": "https://github.com/osrg/gobgp/pull/3342", "tags": ["issue-tracking", "patch"]}, {"url": "https://github.com/osrg/gobgp/commit/67c059413470df64bc20801c46f64058e88f800f", "tags": ["patch"]}, {"url": "https://github.com/osrg/gobgp/", "tags": ["product"]}], "tags": ["x_open-source"]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5123", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-01T18:10:08.172425Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T18:10:17.883Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:osrg:gobgp:*:*:*:*:*:*:*:*", "matchCriteriaId": "05DBB6FD-F3CD-4BF0-A573-D1E87307A50F", "versionEndExcluding": "4.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in osrg GoBGP up to 4.3.0. This impacts the function DecodeFromBytes of the file pkg/packet/bgp/bgp.go. Executing a manipulation of the argument data[1] can lead to off-by-one. The attack may be launched remotely. Attacks of this nature are highly complex. The exploitability is said to be difficult. This patch is called 67c059413470df64bc20801c46f64058e88f800f. A patch should be applied to remediate this issue."}, {"lang": "es", "value": "Se ha identificado una debilidad en osrg GoBGP hasta 4.3.0. Esto impacta en la funci\u00f3n DecodeFromBytes del archivo pkg/packet/bgp/bgp.go. Ejecutar una manipulaci\u00f3n del argumento data[1] puede llevar a off-by-one. El ataque puede ser lanzado remotamente. Ataques de esta naturaleza son altamente complejos. La explotabilidad se dice que es dif\u00edcil. Este parche se llama 67c059413470df64bc20801c46f64058e88f800f. Un parche deber\u00eda aplicarse para remediar este problema."}], "id": "CVE-2026-5123", "lastModified": "2026-04-06T15:46:13.087", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 2.6, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 4.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-03-30T16:16:10.123", "references": [{"source": "cna@vuldb.com", "tags": ["Product"], "url": "https://github.com/osrg/gobgp/"}, {"source": "cna@vuldb.com", "tags": ["Patch"], "url": "https://github.com/osrg/gobgp/commit/67c059413470df64bc20801c46f64058e88f800f"}, {"source": "cna@vuldb.com", "tags": ["Issue Tracking"], "url": "https://github.com/osrg/gobgp/pull/3342"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/submit/780179"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/vuln/354155"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required", "VDB Entry"], "url": "https://vuldb.com/vuln/354155/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-189"}, {"lang": "en", "value": "CWE-193"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "4.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "4.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "4.2"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "4.3.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "GoBGP", "source": "cna", "vendor": "osrg"}, "product": "gobgp", "vendor": "osrg"}], "analysis": {"en": {"generated_at": "2026-04-06T20:10:00.655645+00:00", "value": {"mitigation_remediation": ["Apply the official patch referenced by commit 67c059413470df64bc20801c46f64058e88f800f to upgrade GoBGP to a fixed version (4.3.1 or later).", "If an immediate update is not feasible, restrict inbound BGP connections to trusted peers and apply network segmentation to reduce exposure to malicious traffic."], "summary": {"action": "Apply Patch", "impact": "Remote BGP packet parsing error"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the osrg GoBGP project, specifically versions up to and including 4.3.0. The affected component is the DecodeFromBytes routine located in pkg/packet/bgp/bgp.go.", "description_and_impact": "The flaw lies in the GoBGP routing daemon\u2019s DecodeFromBytes function, where manipulating the second byte of a BGP message can cause an off\u2011by\u2011one error during packet parsing. This mistake may lead to malformed packet handling and potentially disrupt routing logic, but no evidence of memory corruption or arbitrary code execution is provided.", "risk_and_exploitability": "The CVSS score of 6.3 denotes moderate severity. The EPSS score is below 1\u202f%, indicating a low probability of exploitation, and the flaw is not listed in the CISA KEV catalog. The attack vector is remote, requiring a crafted BGP packet from an external peer; however, the nature of the exploit is complex and the vulnerability is described as difficult to exploit in practice."}}}}, "created": "2026-03-30T20:55:36.417121+00:00", "updated": "2026-04-07T08:08:38.138322+00:00", "vendors": ["osrg", "osrg$PRODUCT$gobgp"]}