VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 3, 2026

CVE-2026-37462

CVE-2026-37462

Description

An integer underflow in gobgp's BGPUpdate.DecodeFromBytes function allows DoS via crafted BGP UPDATE messages.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An integer underflow in gobgp's BGPUpdate.DecodeFromBytes function allows DoS via crafted BGP UPDATE messages.

Vulnerability

An integer underflow vulnerability exists in the BGPUpdate.DecodeFromBytes function within the /bgp/bgp.go file of gobgp versions prior to the fix applied in commit 9ce8936672ebc07df524da77fa4c6ae26d92be6d. This issue affects gobgp v4.3.0 and potentially earlier versions. The vulnerability is triggered when processing a crafted BGP UPDATE message.

Exploitation

An attacker can exploit this vulnerability by sending a specially crafted BGP UPDATE message to a vulnerable gobgp instance. The crafted message manipulates length fields in a way that causes an integer underflow when calculating remaining data. This underflow leads to an incorrect calculation of the remaining data to be processed, allowing the function to proceed erroneously.

Impact

Successful exploitation of this vulnerability results in a Denial of Service (DoS) condition. The incorrect processing of the crafted BGP UPDATE message can cause the gobgp process to crash or become unresponsive, disrupting BGP routing operations. The scope of the impact is limited to the affected gobgp instance.

Mitigation

The vulnerability is fixed in gobgp version v4.3.0 via commit 9ce8936672ebc07df524da77fa4c6ae26d92be6d [1]. Users are advised to upgrade to a patched version of gobgp. No specific workarounds are mentioned in the available references if an upgrade is not immediately possible.

References
  1. packet/bgp: fix uint16 underflow in BGPUpdate.DecodeFromBytes · osrg/gobgp@9ce8936

AI Insight generated on Jun 3, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

1
9ce8936672eb

packet/bgp: fix uint16 underflow in BGPUpdate.DecodeFromBytes

https://github.com/osrg/gobgpFUJITA TomonoriMar 12, 2026via nvd-ref
commit
2 files changed · +57 2
  • pkg/packet/bgp/bgp.go+15 2 modified
    @@ -15703,7 +15703,11 @@ func (msg *BGPUpdate) DecodeFromBytes(data []byte, options ...*MarshallingOption
 		if err != nil {
 			return err
 		}
-		routelen -= uint16(w.Len(options...) + addpathLen)
+		wLen := uint16(w.Len(options...) + addpathLen)
+		if wLen > routelen {
+			return NewMessageError(eCode, eSubCode, nil, "Withdrawn route length exceeds withdrawn routes boundary")
+		}
+		routelen -= wLen
 		if len(data) < w.Len(options...) {
 			return NewMessageError(eCode, eSubCode, nil, "Withdrawn route length is short")
 		}
@@ -15758,7 +15762,16 @@ func (msg *BGPUpdate) DecodeFromBytes(data []byte, options ...*MarshallingOption
 				strongestError = e
 			}
 		}
-		pathlen -= uint16(p.Len(options...))
+		pLen := uint16(p.Len(options...))
+		if pLen > pathlen {
+			e = NewMessageErrorWithErrorHandling(
+				eCode, BGP_ERROR_SUB_ATTRIBUTE_LENGTH_ERROR, data, ERROR_HANDLING_TREAT_AS_WITHDRAW, nil, "path attribute length exceeds path attributes boundary")
+			if e.(*MessageError).Stronger(strongestError) {
+				strongestError = e
+			}
+			return strongestError
+		}
+		pathlen -= pLen
 		if len(data) < p.Len(options...) {
 			e = NewMessageErrorWithErrorHandling(
 				eCode, BGP_ERROR_SUB_ATTRIBUTE_LENGTH_ERROR, data, ERROR_HANDLING_TREAT_AS_WITHDRAW, nil, "attribute length is short")
  • pkg/packet/bgp/bgp_test.go+42 0 modified
    @@ -1470,6 +1470,48 @@ func TestParseBogusShortData(t *testing.T) {
 	}
 }
 
+func TestUpdateWithdrawnRouteUnderflow(t *testing.T) {
+	// WithdrawnRoutesLen is 2, but the /32 prefix requires 5 bytes.
+	// Without an underflow guard, routelen wraps from 2 to 65533 and the
+	// loop silently consumes the entire remaining buffer as withdrawn
+	// routes, returning no error (silent data corruption).
+	const underflowed = 65533 // uint16(2 - 5)
+	buf := make([]byte, 2+5+underflowed+2)
+	buf[0], buf[1] = 0x00, 0x02                  // WithdrawnRoutesLen = 2
+	buf[2] = 0x20                                // /32 prefix length
+	buf[3], buf[4], buf[5], buf[6] = 10, 0, 0, 1 // 10.0.0.1
+	// bytes 7..65539: zeros, decoded as 65533 /0 prefixes
+	// bytes 65540..65541: TotalPathAttributeLen = 0
+
+	u := &BGPUpdate{}
+	err := u.DecodeFromBytes(buf)
+	require.Error(t, err)
+}
+
+func TestUpdatePathAttrLenUnderflow(t *testing.T) {
+	// TotalPathAttributeLen is 3, but the ORIGIN attribute is 4 bytes.
+	// Without an underflow guard, pathlen wraps from 3 to 65535 and the
+	// loop silently consumes the filler bytes as path attributes,
+	// returning no error (silent data corruption).
+	// 65535 is divisible by 3 (filler attr size), so the loop exits
+	// cleanly with pathlen=0 instead of hitting the pathlen<3 guard.
+	const underflowed = 65535 // uint16(3 - 4)
+	const fillerAttrLen = 3
+	buf := make([]byte, 2+2+4+underflowed)
+	buf[0], buf[1] = 0x00, 0x00                             // WithdrawnRoutesLen = 0
+	buf[2], buf[3] = 0x00, 0x03                             // TotalPathAttributeLen = 3
+	buf[4], buf[5], buf[6], buf[7] = 0x40, 0x01, 0x01, 0x00 // ORIGIN(IGP)
+	for i := 8; i+2 < len(buf); i += fillerAttrLen {
+		buf[i] = 0xc0   // flags: optional + transitive
+		buf[i+1] = 0xff // type: unknown
+		buf[i+2] = 0x00 // length: 0
+	}
+
+	u := &BGPUpdate{}
+	err := u.DecodeFromBytes(buf)
+	require.Error(t, err)
+}
+
 func TestFuzzCrashers(t *testing.T) {
 	crashers := []string{
 		"000000000000000000\x01",

Vulnerability mechanics

Root cause

"An integer underflow in the BGPUpdate.DecodeFromBytes function allows crafted BGP UPDATE messages to cause a denial of service."

Attack vector

An attacker can supply a crafted BGP UPDATE message to a vulnerable gobgp instance. This message contains a malformed section length that, when subtracted from the current length counter, wraps around due to integer underflow. This causes the parser to incorrectly consume data beyond the intended boundaries, leading to a denial of service [ref_id=1].

Affected code

The vulnerability exists in the BGPUpdate.DecodeFromBytes function within the pkg/packet/bgp/bgp.go file. The specific lines affected are where `routelen` and `pathlen` are decremented after calculating the length of withdrawn routes and path attributes, respectively [patch_id=4683559].

What the fix does

The patch introduces bounds checks before subtracting lengths in the BGPUpdate.DecodeFromBytes function [patch_id=4683559]. Specifically, it checks if the calculated length to subtract (wLen or pLen) exceeds the remaining length (routelen or pathlen). If it does, an error is returned, preventing the integer underflow and the subsequent out-of-bounds data consumption that would lead to a denial of service [ref_id=1].

Preconditions

  • inputA crafted BGP UPDATE message with a malformed section length.

Generated on Jun 3, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.