{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5123", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-30T07:50:35.204Z", "datePublished": "2026-03-30T15:15:14.229Z", "dateUpdated": "2026-04-01T18:10:27.344Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-30T15:15:14.229Z"}, "title": "osrg GoBGP bgp.go DecodeFromBytes off-by-one", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-193", "lang": "en", "description": "Off-by-One"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-189", "lang": "en", "description": "Numeric Error"}]}], "affected": [{"vendor": "osrg", "product": "GoBGP", "versions": [{"version": "4.0", "status": "affected"}, {"version": "4.1", "status": "affected"}, {"version": "4.2", "status": "affected"}, {"version": "4.3.0", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A weakness has been identified in osrg GoBGP up to 4.3.0. This impacts the function DecodeFromBytes of the file pkg/packet/bgp/bgp.go. Executing a manipulation of the argument data[1] can lead to off-by-one. The attack may be launched remotely. Attacks of this nature are highly complex. The exploitability is said to be difficult. This patch is called 67c059413470df64bc20801c46f64058e88f800f. A patch should be applied to remediate this issue."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.3, "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.7, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P/E:ND/RL:OF/RC:C"}}], "timeline": [{"time": "2026-03-30T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-30T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-30T09:55:43.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Sunxj (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/vuln/354155", "name": "VDB-354155 | osrg GoBGP bgp.go DecodeFromBytes off-by-one", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/354155/cti", "name": "VDB-354155 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/780179", "name": "Submit #780179 | osrg GoBGP 4.3.0 Off-by-one Error", "tags": ["third-party-advisory"]}, {"url": "https://github.com/osrg/gobgp/pull/3342", "tags": ["issue-tracking", "patch"]}, {"url": "https://github.com/osrg/gobgp/commit/67c059413470df64bc20801c46f64058e88f800f", "tags": ["patch"]}, {"url": "https://github.com/osrg/gobgp/", "tags": ["product"]}], "tags": ["x_open-source"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T18:10:08.172425Z", "id": "CVE-2026-5123", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T18:10:27.344Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5123", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-30T07:50:35.204Z", "datePublished": "2026-03-30T15:15:14.229Z", "dateUpdated": "2026-04-01T18:10:27.344Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-30T15:15:14.229Z"}, "title": "osrg GoBGP bgp.go DecodeFromBytes off-by-one", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-193", "lang": "en", "description": "Off-by-One"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-189", "lang": "en", "description": "Numeric Error"}]}], "affected": [{"vendor": "osrg", "product": "GoBGP", "versions": [{"version": "4.0", "status": "affected"}, {"version": "4.1", "status": "affected"}, {"version": "4.2", "status": "affected"}, {"version": "4.3.0", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A weakness has been identified in osrg GoBGP up to 4.3.0. This impacts the function DecodeFromBytes of the file pkg/packet/bgp/bgp.go. Executing a manipulation of the argument data[1] can lead to off-by-one. The attack may be launched remotely. Attacks of this nature are highly complex. The exploitability is said to be difficult. This patch is called 67c059413470df64bc20801c46f64058e88f800f. A patch should be applied to remediate this issue."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.3, "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.7, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P/E:ND/RL:OF/RC:C"}}], "timeline": [{"time": "2026-03-30T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-30T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-30T09:55:43.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Sunxj (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/vuln/354155", "name": "VDB-354155 | osrg GoBGP bgp.go DecodeFromBytes off-by-one", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/354155/cti", "name": "VDB-354155 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/780179", "name": "Submit #780179 | osrg GoBGP 4.3.0 Off-by-one Error", "tags": ["third-party-advisory"]}, {"url": "https://github.com/osrg/gobgp/pull/3342", "tags": ["issue-tracking", "patch"]}, {"url": "https://github.com/osrg/gobgp/commit/67c059413470df64bc20801c46f64058e88f800f", "tags": ["patch"]}, {"url": "https://github.com/osrg/gobgp/", "tags": ["product"]}], "tags": ["x_open-source"]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5123", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-01T18:10:08.172425Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T18:10:17.883Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in osrg GoBGP up to 4.3.0. This impacts the function DecodeFromBytes of the file pkg/packet/bgp/bgp.go. Executing a manipulation of the argument data[1] can lead to off-by-one. The attack may be launched remotely. Attacks of this nature are highly complex. The exploitability is said to be difficult. This patch is called 67c059413470df64bc20801c46f64058e88f800f. A patch should be applied to remediate this issue."}, {"lang": "es", "value": "Se ha identificado una debilidad en osrg GoBGP hasta 4.3.0. Esto impacta en la funci\u00f3n DecodeFromBytes del archivo pkg/packet/bgp/bgp.go. Ejecutar una manipulaci\u00f3n del argumento data[1] puede llevar a off-by-one. El ataque puede ser lanzado remotamente. Ataques de esta naturaleza son altamente complejos. La explotabilidad se dice que es dif\u00edcil. Este parche se llama 67c059413470df64bc20801c46f64058e88f800f. Un parche deber\u00eda aplicarse para remediar este problema."}], "id": "CVE-2026-5123", "lastModified": "2026-04-01T14:24:21.833", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 2.6, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 4.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-03-30T16:16:10.123", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/osrg/gobgp/"}, {"source": "cna@vuldb.com", "url": "https://github.com/osrg/gobgp/commit/67c059413470df64bc20801c46f64058e88f800f"}, {"source": "cna@vuldb.com", "url": "https://github.com/osrg/gobgp/pull/3342"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/780179"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/354155"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/354155/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-189"}, {"lang": "en", "value": "CWE-193"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "4.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "4.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "4.2"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "4.3.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "GoBGP", "source": "cna", "vendor": "osrg"}, "product": "gobgp", "vendor": "osrg"}], "analysis": {"en": {"generated_at": "2026-03-30T17:23:15.934095+00:00", "value": {"mitigation_remediation": ["Apply the patch commit 67c059413470df64bc20801c46f64058e88f800f to GoBGP", "Upgrade to GoBGP version 4.3.1 or later", "If immediate upgrade is not possible, limit external access to the BGP service and monitor for abnormal activity"], "summary": {"action": "Apply patch", "impact": "Memory corruption potentially leading to remote code execution"}, "threat_synthesis": {"affected_systems": "The bug exists in GoBGP versions up to 4.3.0 distributed by osrg. Any installation of those releases, regardless of operating system, is vulnerable until the patch is applied.", "description_and_impact": "The vulnerability is an off\u2011by\u2011one error in the DecodeFromBytes function of goBGP's BGP packet handling module. The error corrupts memory when the second byte of the input payload is manipulated, which an attacker may exploit to hijack the control flow or crash the process. This can lead to loss of integrity and availability, and in the worst case give an attacker the ability to execute arbitrary code on the host.", "risk_and_exploitability": "The CVSS score of 6.3 denotes a medium severity, and the description indicates the exploit is remotely available but technically complex and difficult. No EPSS value is reported and the vulnerability is not in the CISA KEV list. Attackers would need to craft a specific byte sequence that targets the off\u2011by\u2011one condition, making widespread exploitation unlikely at present."}}}}, "created": "2026-03-30T20:55:36.417121+00:00", "updated": "2026-03-31T20:40:52.722275+00:00", "vendors": ["osrg", "osrg$PRODUCT$gobgp"]}