Off-by-One Vulnerability in osrg GoBGP Product
CVE-2026-5123

6.3MEDIUM

Key Information:

Vendor: Osrg
Status: Gobgp
Vendor: CVE Published:; 30 March 2026

What is CVE-2026-5123?

A vulnerability has been discovered in the osrg GoBGP product, specifically affecting the DecodeFromBytes function located in pkg/packet/bgp/bgp.go. This issue arises from a manipulation of the argument data[1], which can potentially result in an off-by-one error. While the attack can be executed remotely, it is recognized as a complex exploit. A patch has been released to address this vulnerability, and it is recommended for users to apply this fix to ensure the integrity and security of their systems.

Affected Version(s)

GoBGP 4.0

GoBGP 4.1

GoBGP 4.2

References

https://vuldb.com/vuln/354155

vdb-entrytechnical-description

https://vuldb.com/vuln/354155/cti

signaturepermissions-required

https://vuldb.com/submit/780179

third-party-advisory

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 30, 2026
Vulnerability Reserved
Mar 30, 2026

Credit

Sunxj (VulDB User)

CVE-2026-5123 Data

JSON

Osrg

What is CVE-2026-5123?

Affected Version(s)

References

CVSS V4

Timeline

Credit