CVE-2026-7736

High

Published: 04 May 2026

Published

04 May 2026

Modified

04 May 2026

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0005 14.1th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was determined in osrg GoBGP up to 4.3.0. Affected by this vulnerability is the function parseRibEntry of the file pkg/packet/mrt/mrt.go. Executing a manipulation can lead to integer underflow. It is possible to launch the attack remotely. Upgrading to…

version 4.4.0 addresses this issue. This patch is called 76d911046344a3923cbe573364197aa081944592. It is suggested to upgrade the affected component.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires timely remediation of known software flaws like the integer underflow in GoBGP's parseRibEntry function via patching to version 4.4.0.

SI-10 Information Input Validation good match

prevent

Mandates validation of incoming MRT packet data to reject malformed inputs that trigger the integer underflow vulnerability.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Requires vulnerability scanning and monitoring to identify the presence of CVE-2026-7736 in deployed GoBGP instances for prompt remediation.

Security SummaryAI

CVE-2026-7736 is an integer underflow vulnerability affecting osrg GoBGP versions up to 4.3.0. The issue resides in the parseRibEntry function within the file pkg/packet/mrt/mrt.go, which can be triggered by malformed input leading to improper handling of integer values. This flaw, classified under CWE-189 (Numeric Errors) and CWE-191 (Integer Underflow or Wraparound), carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and lack of prerequisites.

The vulnerability enables remote attackers with no authentication or user interaction to exploit it over the network. Successful exploitation could result in limited impacts to confidentiality, integrity, and availability, such as partial data disclosure, minor tampering, or denial of service through resource exhaustion tied to the underflow condition.

Mitigation is addressed by upgrading to GoBGP version 4.4.0, which incorporates the fixing commit 76d911046344a3923cbe573364197aa081944592. Official resources, including the GoBGP GitHub repository, release notes for v4.4.0, and the specific patch commit, confirm that updating the affected component resolves the issue.

Details

CWE(s): CWE-189 CWE-191

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Remote unauthenticated network exploitation of GoBGP's MRT parser (integer underflow on malformed input) directly maps to initial access via public-facing or remote service exploitation and to DoS impact via application-level exploitation; limited C/I/A impacts preclude RCE or post-exploitation primitives.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References

https://github.com/osrg/gobgp/
cna@vuldb.com
https://github.com/osrg/gobgp/commit/76d911046344a3923cbe573364197aa081944592
cna@vuldb.com
https://github.com/osrg/gobgp/releases/tag/v4.4.0
cna@vuldb.com
https://vuldb.com/submit/807604
cna@vuldb.com
https://vuldb.com/vuln/360911
cna@vuldb.com
https://vuldb.com/vuln/360911/cti
cna@vuldb.com