High severity7.5GHSA Advisory· Published May 7, 2026· Updated May 7, 2026
CVE-2026-41642
CVE-2026-41642
Description
GoBGP is an open source Border Gateway Protocol (BGP) implementation in the Go Programming Language. In version 4.3.0, a remote Denial of Service (DoS) vulnerability exists in GoBGP due to a nil pointer dereference. When a malformed BGP UPDATE message contains an unrecognized Path Attribute marked as "Well-known," the daemon fails to interrupt the message handling flow. This results in an illegal memory access and a full process crash (panic). This issue has been patched in version 4.4.0.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/osrg/gobgp/v4Go | >= 4.3.0, < 4.4.0 | 4.4.0 |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/osrg/gobgp/releases/tag/v4.4.0nvdPatchProductWEB
- github.com/osrg/gobgp/security/advisories/GHSA-7235-89m6-f4pxnvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-7235-89m6-f4pxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-41642ghsaADVISORY
News mentions
0No linked articles in our index yet.