CVE-2026-7735

High

Published: 04 May 2026

Published

04 May 2026

Modified

04 May 2026

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0006 17.7th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was found in osrg GoBGP up to 4.3.0. Affected is the function PathAttributeAigp.DecodeFromBytes of the file pkg/packet/bgp/bgp.go of the component AIGP Attribute Parser. Performing a manipulation results in buffer overflow. It is possible to initiate the attack remotely.…

Upgrading to version 4.4.0 is able to address this issue. The patch is named 51ad1ada06cb41ce47b7066799981816f50b7ced. The affected component should be upgraded.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the buffer overflow by requiring timely flaw remediation through upgrading GoBGP to the patched version 4.4.0.

SI-10 Information Input Validation good match

prevent

Requires validation of BGP packet inputs at the AIGP attribute parser to block malformed data causing the buffer overflow.

SI-16 Memory Protection partial match

prevent

Implements memory safeguards like ASLR and DEP to reduce exploitability of the buffer overflow in PathAttributeAigp.DecodeFromBytes.

Security SummaryAI

CVE-2026-7735 is a buffer overflow vulnerability affecting osrg GoBGP versions up to 4.3.0. The flaw exists in the PathAttributeAigp.DecodeFromBytes function within the file pkg/packet/bgp/bgp.go, specifically in the AIGP Attribute Parser component. It is linked to CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-120 (Buffer Copy without Checking Size of Input).

An unauthenticated attacker with network access can exploit this vulnerability remotely with low complexity and no user interaction required. Manipulation of BGP packets triggers the buffer overflow, enabling limited impacts on confidentiality, integrity, and availability, as reflected in its CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

Advisories recommend upgrading to GoBGP version 4.4.0, which resolves the issue through patch commit 51ad1ada06cb41ce47b7066799981816f50b7ced. Additional details are available on the GoBGP GitHub repository, the commit page, the v4.4.0 release, and VulDB entries.

Details

CWE(s): CWE-119 CWE-120

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Buffer overflow in remotely accessible BGP packet parser (AIGP attribute handling) directly enables unauthenticated remote exploitation of a network-exposed routing service.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References

https://github.com/osrg/gobgp/
cna@vuldb.com
https://github.com/osrg/gobgp/commit/51ad1ada06cb41ce47b7066799981816f50b7ced
cna@vuldb.com
https://github.com/osrg/gobgp/releases/tag/v4.4.0
cna@vuldb.com
https://vuldb.com/submit/807600
cna@vuldb.com
https://vuldb.com/vuln/360910
cna@vuldb.com
https://vuldb.com/vuln/360910/cti
cna@vuldb.com