CVE-2025-43972
Description
An issue was discovered in GoBGP before 3.35.0. An attacker can cause a crash in the pkg/packet/bgp/bgp.go flowspec parser by sending fewer than 20 bytes in a certain context.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
GoBGP before 3.35.0 has a crash vulnerability in its flowspec parser when processing fewer than 20 bytes in an IPv6 FlowSpec extended community.
Vulnerability
Description
CVE-2025-43972 is a denial-of-service vulnerability in GoBGP, an open-source Border Gateway Protocol (BGP) implementation written in Go. The issue resides in the flowspec parser within pkg/packet/bgp/bgp.go. Specifically, when handling an IPv6 FlowSpec redirect extended community (EC_SUBTYPE_FLOWSPEC_REDIRECT_IP6), the code does not validate that the input data contains at least 20 bytes before attempting to parse the IPv6 address and local administrator fields [1][2]. This insufficient length check mirrors a similar flaw in the MRT parser (also fixed in v3.35.0) where the slice could be empty after the initial bounds check, leading to an out-of-bounds panic [1].
Exploitation
An attacker can exploit this vulnerability by sending a crafted BGP UPDATE message containing a malformed flowspec extended community with fewer than 20 bytes of data. The attack does not require authentication if the attacker can establish a BGP session with a vulnerable GoBGP instance. Since the parser is invoked during the processing of received BGP routes, any peer that can inject BGP updates can trigger the crash. The vulnerability is reachable without any special privileges beyond being a BGP-speaking peer [1][2].
Impact
Successful exploitation causes a panic in the GoBGP process, leading to a crash of the BGP daemon. This results in a denial of service (DoS) condition, disrupting BGP routing operations for the affected network. The crash can be repeated, preventing the victim from maintaining stable BGP sessions and potentially causing routing instability [1][2].
Mitigation
The vulnerability is fixed in GoBGP version 3.35.0. The patch adds explicit length checks before accessing the IPv6 and local admin fields in the flowspec parser [4]. Users should upgrade to v3.35.0 or later. There are no known workarounds other than restricting BGP peer access to trusted sources [1][3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/osrg/gobgpGo | >= 0 | — |
github.com/osrg/gobgp/v3Go | < 3.35.0 | 3.35.0 |
Affected products
32- osv-coords30 versionspkg:apk/chainguard/cilium-1.15pkg:apk/chainguard/cilium-1.16pkg:apk/chainguard/cilium-1.16-clustermesh-apiserverpkg:apk/chainguard/cilium-1.16-container-initpkg:apk/chainguard/cilium-1.16-container-init-compatpkg:apk/chainguard/cilium-1.16-hubble-relaypkg:apk/chainguard/cilium-1.16-iptablespkg:apk/chainguard/cilium-1.16-operator-awspkg:apk/chainguard/cilium-1.16-operator-genericpkg:apk/chainguard/cilium-fips-1.15pkg:apk/chainguard/cilium-fips-1.16pkg:apk/chainguard/cilium-fips-1.16-clustermesh-apiserverpkg:apk/chainguard/cilium-fips-1.16-container-initpkg:apk/chainguard/cilium-fips-1.16-container-init-compatpkg:apk/chainguard/cilium-fips-1.16-host-utilspkg:apk/chainguard/cilium-fips-1.16-hubble-relaypkg:apk/chainguard/cilium-fips-1.16-operator-awspkg:apk/chainguard/cilium-fips-1.16-operator-azurepkg:apk/chainguard/cilium-fips-1.16-operator-genericpkg:apk/wolfi/cilium-1.15pkg:apk/wolfi/cilium-1.16pkg:apk/wolfi/cilium-1.16-container-initpkg:apk/wolfi/cilium-1.16-container-init-compatpkg:apk/wolfi/cilium-1.16-hubble-relaypkg:apk/wolfi/cilium-1.16-iptablespkg:apk/wolfi/cilium-1.16-operator-awspkg:apk/wolfi/cilium-1.16-operator-genericpkg:golang/github.com/osrg/gobgppkg:golang/github.com/osrg/gobgp/v3pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
< 1.15.19-r3+ 29 more
- (no CPE)range: < 1.15.19-r3
- (no CPE)range: < 1.16.9-r1
- (no CPE)range: < 1.16.9-r1
- (no CPE)range: < 1.16.9-r1
- (no CPE)range: < 1.16.9-r1
- (no CPE)range: < 1.16.9-r1
- (no CPE)range: < 1.16.9-r1
- (no CPE)range: < 1.16.9-r1
- (no CPE)range: < 1.16.9-r1
- (no CPE)range: < 1.15.19-r7
- (no CPE)range: < 1.16.9-r2
- (no CPE)range: < 1.16.9-r2
- (no CPE)range: < 1.16.9-r2
- (no CPE)range: < 1.16.9-r2
- (no CPE)range: < 1.16.9-r2
- (no CPE)range: < 1.16.9-r2
- (no CPE)range: < 1.16.9-r2
- (no CPE)range: < 1.16.9-r2
- (no CPE)range: < 1.16.9-r2
- (no CPE)range: < 1.15.19-r3
- (no CPE)range: < 1.16.9-r1
- (no CPE)range: < 1.16.9-r1
- (no CPE)range: < 1.16.9-r1
- (no CPE)range: < 1.16.9-r1
- (no CPE)range: < 1.16.9-r1
- (no CPE)range: < 1.16.9-r1
- (no CPE)range: < 1.16.9-r1
- (no CPE)range: >= 0
- (no CPE)range: < 3.35.0
- (no CPE)range: < 0.0.20250422T181640-1.1
- GoBGP/GoBGPv5Range: 0
Patches
1ca7383f450f7pkg/packet/bgp: fix flowspec parser to check the input length
1 file changed · +4 −0
pkg/packet/bgp/bgp.go+4 −0 modified@@ -12708,6 +12708,10 @@ func parseGenericTransitiveExperimentalExtended(data []byte) (ExtendedCommunityI dscp := data[7] return NewTrafficRemarkExtended(dscp), nil case EC_SUBTYPE_FLOWSPEC_REDIRECT_IP6: + if len(data) < 20 { + return nil, NewMessageError(BGP_ERROR_UPDATE_MESSAGE_ERROR, BGP_ERROR_SUB_MALFORMED_ATTRIBUTE_LIST, nil, "not all extended community bytes for IPv6 FlowSpec are available") + } + ipv6 := net.IP(data[2:18]).String() localAdmin := binary.BigEndian.Uint16(data[18:20]) return NewRedirectIPv6AddressSpecificExtended(ipv6, localAdmin), nil
Vulnerability mechanics
Root cause
"Insufficient input length validation in the flowspec parser leads to an out-of-bounds slice access and a subsequent crash."
Attack vector
An attacker can trigger a crash by sending a BGP message containing an IPv6 FlowSpec redirect extended community with a payload shorter than 20 bytes [patch_id=28924]. Because the parser only verifies a minimum length of 8 bytes before attempting to access indices 2 through 20, the application will panic when it encounters an undersized slice [patch_id=28924]. This allows a remote attacker to cause a denial of service.
Affected code
The vulnerability is located in `pkg/packet/bgp/bgp.go` within the `parseGenericTransitiveExperimentalExtended` function. Specifically, the `EC_SUBTYPE_FLOWSPEC_REDIRECT_IP6` case fails to validate that the input `data` slice contains sufficient bytes before accessing indices up to 19 [patch_id=28924].
What the fix does
The patch adds an explicit length check to the `EC_SUBTYPE_FLOWSPEC_REDIRECT_IP6` case in `pkg/packet/bgp/bgp.go` [patch_id=28924]. It ensures that the `data` slice has at least 20 bytes before attempting to access the IPv6 address and local administrator fields. If the input is too short, the function now returns a `NewMessageError` instead of panicking [patch_id=28924].
Preconditions
- networkThe attacker must be able to send BGP messages to the GoBGP instance.
Generated on May 17, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.