CVE-2026-7737: GoBGP has Improper Restriction of Operations within the Bounds of a Memory Buffer

May 4, 2026 (updated May 11, 2026)

A vulnerability was identified in osrg GoBGP up to 4.3.0. Affected by this issue is the function BMPPeerUpNotification.ParseBody/BMPStatisticsReport.ParseBody of the file pkg/packet/bmp/bmp.go of the component BMP Parser. The manipulation leads to out-of-bounds read. The attack can be initiated remotely. Upgrading to version 4.4.0 can resolve this issue. The identifier of the patch is bc77597d42335c78464bc8e15a471d887bbdf260. Upgrading the affected component is recommended.

References

github.com/advisories/GHSA-w88c-9vg8-cmq8
github.com/osrg/gobgp
github.com/osrg/gobgp/commit/bc77597d42335c78464bc8e15a471d887bbdf260
github.com/osrg/gobgp/releases/tag/v4.4.0
nvd.nist.gov/vuln/detail/CVE-2026-7737
vuldb.com/submit/807605
vuldb.com/vuln/360912
vuldb.com/vuln/360912/cti

Code Behaviors & Features

Detect and mitigate CVE-2026-7737 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →