CVE-2026-7737

MEDIUM

osrg GoBGP BMP Parser bmp.go BMPStatisticsReport.ParseBody out-of-bounds

Title source: cna

Description

A vulnerability was identified in osrg GoBGP up to 4.3.0. Affected by this issue is the function BMPPeerUpNotification.ParseBody/BMPStatisticsReport.ParseBody of the file pkg/packet/bmp/bmp.go of the component BMP Parser. The manipulation leads to out-of-bounds read. The attack can be initiated remotely. Upgrading to version 4.4.0 can resolve this issue. The identifier of the patch is bc77597d42335c78464bc8e15a471d887bbdf260. Upgrading the affected component is recommended.

References (6)

Core 6

Core References

Vdb Entry, Technical Description vdb-entry technical-description

VDB-360912 | osrg GoBGP BMP Parser bmp.go BMPStatisticsReport.ParseBody out-of-bounds

https://vuldb.com/vuln/360912

Signature, Permissions Required signature permissions-required

VDB-360912 | CTI Indicators (IOB, IOC, IOA)

https://vuldb.com/vuln/360912/cti

Third Party Advisory third-party-advisory

Submit #807605 | osrg GoBGP <= 4.3.0 Out-of-Bounds Read

https://vuldb.com/submit/807605

Patch patch

https://github.com/osrg/gobgp/commit/bc77597d42335c78464bc8e15a471d887bbdf260

View Patch ZIP pw:eip

Patch patch

https://github.com/osrg/gobgp/releases/tag/v4.4.0

Product product

https://github.com/osrg/gobgp/

Scores

CVSS v3 5.3

EPSS 0.0064

EPSS Percentile 45.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-119 CWE-125

Status published

Products (7)

osrg/gobgp < 4.4.0

osrg/gobgp 0 - 4.4.0Go

osrg/GoBGP 4.0

osrg/GoBGP 4.1

osrg/GoBGP 4.2

osrg/GoBGP 4.3.0

osrg/GoBGP 4.4.0

Published May 04, 2026

Tracked Since May 04, 2026