CVE-2026-42285: GoBGP has a panic in AdjRib.Update via malformed BGP Update message (Nil Pointer Dereference)

May 5, 2026 (updated May 8, 2026)

Remote Denial of Service (DoS) via Nil Pointer Dereference in BGP Update Processing An unauthenticated remote BGP peer can trigger a fatal panic in GoBGP by sending a specially crafted BGP UPDATE message. When the server receives a message with inconsistent attribute lengths, it improperly handles the internal state transition to a “withdraw” action, leading to a nil pointer dereference in the AdjRib.Update function. This causes the entire GoBGP process to crash, resulting in a complete loss of service availability.

References

github.com/advisories/GHSA-p3w2-64xm-833j
github.com/osrg/gobgp
github.com/osrg/gobgp/releases/tag/v4.5.0
github.com/osrg/gobgp/security/advisories/GHSA-p3w2-64xm-833j
nvd.nist.gov/vuln/detail/CVE-2026-42285

Code Behaviors & Features

Detect and mitigate CVE-2026-42285 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →