CVE-2026-37461

An out-of-bounds read in the ParseIP6Extended function (/bgp/bgp.go) of gobgp v4.3.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP UPDATE message.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/37xxx/CVE-2026-37461.json",
    "cna_assigner": "mitre"
}

References

Affected packages

Git / github.com/osrg/gobgp

Affected ranges

Type

GIT

Repo

https://github.com/osrg/gobgp

Events

Introduced

Fixed

362cce3e325f56e7a4f792ccb9689b3bdda9e682

Fixed

9ce8936672ebc07df524da77fa4c6ae26d92be6d

Database specific

{
    "cpe": "cpe:2.3:a:osrg:gobgp:4.3.0:*:*:*:*:*:*:*",
    "source": [
        "CPE_STRING",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "4.3.0"
        }
    ]
}

Affected versions

v1.*

v1.0

v1.1

v1.10

v1.11

v1.12

v1.13

v1.14

v1.15

v1.16

v1.17

v1.18

v1.19

v1.2

v1.20

v1.21

v1.22

v1.23

v1.24

v1.25

v1.26

v1.27

v1.28

v1.29

v1.3

v1.30

v1.31

v1.32

v1.33

v1.4

v1.5

v1.6

v1.7

v1.8

v1.9

v2.*

v2.0.0

v2.1.0

v2.10.0

v2.11.0

v2.12.0

v2.13.0

v2.14.0

v2.15.0

v2.16.0

v2.17.0

v2.18.0

v2.19.0

v2.2.0

v2.20.0

v2.21.0

v2.22.0

v2.23.0

v2.24.0

v2.25.0

v2.26.0

v2.27.0

v2.28.0

v2.29.0

v2.3.0

v2.30.0

v2.31.0

v2.32.0

v2.33.0

v2.34.0

v2.4.0

v2.5.0

v2.6.0

v2.7.0

v2.8.0

v2.9.0

v3.*

v3.0.0

v3.0.0-rc1

v3.0.0-rc2

v3.0.0-rc3

v3.0.0-rc4

v3.1.0

v3.10.0

v3.11.0

v3.12.0

v3.13.0

v3.14.0

v3.15.0

v3.16.0

v3.17.0

v3.19.0

v3.2.0

v3.20.0

v3.21.0

v3.22.0

v3.23.0

v3.24.0

v3.25.0

v3.26.0

v3.27.0

v3.28.0

v3.29.0

v3.3.0

v3.30.0

v3.31.0

v3.32.0

v3.33.0

v3.34.0

v3.35.0

v3.36.0

v3.37.0

v3.4.0

v3.5.0

v3.6.0

v3.7.0

v3.8.0

v3.9.0

v4.*

v4.0.0

v4.1.0

v4.2.0

v4.3.0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-37461.json"