Medium severity5.3NVD Advisory· Published May 4, 2026· Updated May 6, 2026

CVE-2026-7737

Description

A vulnerability was identified in osrg GoBGP up to 4.3.0. Affected by this issue is the function BMPPeerUpNotification.ParseBody/BMPStatisticsReport.ParseBody of the file pkg/packet/bmp/bmp.go of the component BMP Parser. The manipulation leads to out-of-bounds read. The attack can be initiated remotely. Upgrading to version 4.4.0 can resolve this issue. The identifier of the patch is bc77597d42335c78464bc8e15a471d887bbdf260. Upgrading the affected component is recommended.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/osrg/gobgpGo	< 4.4.0	4.4.0

Affected products

Osrg/Gobgpinferred2 versions
<=4.3.0+ 1 more
- (no CPE)range: <=4.3.0
- cpe:2.3:a:osrg:gobgp:*:*:*:*:*:*:*:*range: <4.4.0

Patches

bc77597d4233

packet/bmp: validate ParseBody input length before reading fields

https://github.com/osrg/gobgpFUJITA TomonoriApr 1, 2026via ghsa

commit

1 file changed · +6 −0

pkg/packet/bmp/bmp.go+6 −0 modified

@@ -360,6 +360,9 @@ func NewBMPStatisticsReport(p BMPPeerHeader, stats []BMPStatsTLVInterface) *BMPM
 }
 
 func (body *BMPStatisticsReport) ParseBody(msg *BMPMessage, data []byte, options ...*bgp.MarshallingOption) error {
+	if len(data) < 4 {
+		return fmt.Errorf("BMP Statistics Report body too short: %d bytes", len(data))
+	}
 	body.Count = binary.BigEndian.Uint32(data[:4])
 	data = data[4:]
 	for len(data) >= 4 {
@@ -548,6 +551,9 @@ func NewBMPPeerUpNotification(p BMPPeerHeader, lAddr netip.Addr, lPort, rPort ui
 }
 
 func (body *BMPPeerUpNotification) ParseBody(msg *BMPMessage, data []byte, options ...*bgp.MarshallingOption) error {
+	if len(data) < 20 {
+		return fmt.Errorf("BMP Peer Up Notification body too short: %d bytes", len(data))
+	}
 	if msg.PeerHeader.PeerType != BMP_PEER_TYPE_LOCAL_RIB && msg.PeerHeader.Flags&BMP_PEER_FLAG_IPV6 != 0 {
 		body.LocalAddress, _ = netip.AddrFromSlice(data[:16])
 	} else {

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/osrg/gobgp/commit/bc77597d42335c78464bc8e15a471d887bbdf260nvdPatchWEB
github.com/osrg/gobgp/releases/tag/v4.4.0nvdPatchProductWEB
github.com/advisories/GHSA-w88c-9vg8-cmq8ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-7737ghsaADVISORY
vuldb.com/submit/807605nvdThird Party AdvisoryVDB EntryWEB
vuldb.com/vuln/360912nvdThird Party AdvisoryVDB EntryWEB
vuldb.com/vuln/360912/ctinvdPermissions RequiredVDB EntryWEB

News mentions

No linked articles in our index yet.

Severity

MediumCVSS v3.1

5.3/ 10

CVSS v46.9

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: None
User interaction: None
Scope: Unchanged
Confidentiality: None
Integrity: None
Availability: Low

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS

Probability of exploitation in the next 30 days.

0.10%

VYPR risk score

Composite of severity, exploitation, and reach.

0.27low

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000

Weaknesses

CWE-119
Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-125
Out-of-bounds Read

CVE ID

CVE-2026-7737

Source code

Credits

S(
Sunxj (VulDB User)
reporter