CVE-2026-5122 | osrg GoBGP up to 4.3.0 BGP OPEN Message pkg/packet/bgp/bgp.go DecodeFromBytes domainNameLen access control (ID 3343)

VDB-354154 · CVE-2026-5122 · ID 3343 OSRG GOBGP UP TO 4.3.0 BGP OPEN MESSAGE PKG/PACKET/BGP/BGP.GO DECODEFROMBYTES DOMAINNAMELEN ACCESS CONTROL HISTORYDIFFRELATEJSONXMLCTI CVSS Meta Temp Score Current Exploit Price (≈) CTI Interest Score 3.6 $0-$5k 2.05 Summaryinfo A vulnerability labeled as problematic has been found in osrg GoBGP up to 4.3.0. This impacts the function DecodeFromBytes of the file pkg/packet/bgp/bgp.go of the component BGP OPEN Message Handler. Executing a manipulation of the argument domainNameLen can lead to access control. The identification of this vulnerability is CVE-2026-5122. The attack may be launched remotely. There is no exploit available. A patch should be applied to remediate this issue. Detailsinfo A vulnerability has been found in osrg GoBGP up to 4.3.0 and classified as problematic. This vulnerability affects the function DecodeFromBytes of the file pkg/packet/bgp/bgp.go of the component BGP OPEN Message Handler. The manipulation of the argument domainNameLen with an unknown input leads to a access control vulnerability. The CWE definition for the vulnerability is CWE-284. The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. As an impact it is known to affect integrity. The advisory is available at github.com. This vulnerability was named CVE-2026-5122. The exploitation appears to be difficult. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. Technical details are known, but there is no available exploit. This vulnerability is assigned to T1068 by the MITRE ATT&CK project. Applying the patch 2b09db390a3d455808363c53e409afe6b1b86d2d is able to eliminate this problem. The bugfix is ready for download at github.com. Productinfo Vendor osrg Name GoBGP Version 4.0 4.1 4.2 4.3.0 License open-source Website Product: https://github.com/osrg/gobgp/ CPE 2.3info 🔒 🔒 🔒 CPE 2.2info 🔒 🔒 🔒 CVSSv4info VulDB Vector: 🔒 VulDB Reliability: 🔍 CVSSv3info VulDB Meta Base Score: 3.7 VulDB Meta Temp Score: 3.6 VulDB Base Score: 3.7 VulDB Temp Score: 3.6 VulDB Vector: 🔒 VulDB Reliability: 🔍 CVSSv2info Vector Complexity Authentication Confidentiality Integrity Availability Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock VulDB Base Score: 🔒 VulDB Temp Score: 🔒 VulDB Reliability: 🔍 Exploitinginfo Class: Access control CWE: CWE-284 / CWE-266 CAPEC: 🔒 ATT&CK: 🔒 Physical: No Local: No Remote: Yes Availability: 🔒 Status: Not defined Price Prediction: 🔍 Current Price Estimation: 🔒 0-Day Unlock Unlock Unlock Unlock Today Unlock Unlock Unlock Unlock Threat Intelligenceinfo Interest: 🔍 Active Actors: 🔍 Active APT Groups: 🔍 Countermeasuresinfo Recommended: Patch Status: 🔍 0-Day Time: 🔒 Patch: 2b09db390a3d455808363c53e409afe6b1b86d2d Timelineinfo 03/30/2026 Advisory disclosed 03/30/2026 +0 days VulDB entry created 03/30/2026 +0 days VulDB entry last update Sourcesinfo Product: github.com Advisory: 3343 Status: Confirmed CVE: CVE-2026-5122 (🔒) GCVE (CVE): GCVE-0-2026-5122 GCVE (VulDB): GCVE-100-354154 Entryinfo Created: 03/30/2026 09:51 Changes: 03/30/2026 09:51 (58) Complete: 🔍 Submitter: rensiru Cache ID: 99:12A:101 Submitinfo Accepted Submit #780124: GoBGP 4.3.0 Improper Handling of Length Parameter Inconsistency (by rensiru) Discussion No comments yet. Languages: en. Please log in to comment. ◂ PreviousOverviewNext ▸