CVE-2026-37462: An integer underflow in the BGPUpdate
An integer underflow in the BGPUpdate.DecodeFromBytes function (/bgp/bgp.go) of gobgp v4.3.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP UPDATE message.
Metrics
- CVSS v3.1
- 7.3
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An integer underflow vulnerability in the BGPUpdate.DecodeFromBytes function of gobgp v4.3.0 allows a remote, unauthenticated attacker to crash the BGP daemon by sending a specially crafted BGP UPDATE message. The flaw is reachable over the network with no authentication required and no user interaction needed. Successful exploitation causes a denial-of-service condition, disrupting BGP routing operations. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.
HarborGuard Coverage
Detection for CVE-2026-37462 is available across every HarborGuard environment - the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle gobgp v4.3.0. Any image in a connected registry or CI pipeline that includes the affected library is flagged automatically.
AvailableHarborGuard scores this finding at CVSS 7.3 (HIGH) and weights it against each environment's compliance policy to determine urgency and routing. Findings are dispatched to the appropriate team inbox within the customer org based on configured ownership rules.
AvailableNo upstream fix version is currently available for CVE-2026-37462. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is published. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the gobgp BGP listener over the network; any host that can send a BGP UPDATE message to the service is in scope.
- AuthenticationNot required
No credentials or prior account access are needed to send a crafted BGP UPDATE message.
- Victim interactionNot required
Exploitation is fully attacker-driven; no user or operator action is required to trigger the crash.
- Attack complexityDetail
The exploit is reliable and condition-free - no race conditions, memory layout dependencies, or special environmental factors are required.
Blast Radius
- Crashes the gobgp BGP daemon process, taking down BGP session management and routing table updates for the affected host.
- Disrupts peered BGP sessions, causing route withdrawals and potential network partitioning for infrastructure depending on the affected gobgp instance.
- Confidentiality and integrity are partially exposed (CVSS C:L/I:L), meaning limited data disclosure or modification may be possible alongside the denial-of-service, though the primary demonstrated impact is service disruption.
How HarborGuard Handles This
Available on HarborGuard: continuous monitoring of this advisory across all customer images is active, with re-evaluation on every ingest cycle so that a patched-image rebuild becomes available the moment gobgp ships a fix. While no upstream patch exists, customers can apply compensating controls by restricting BGP peering sessions to known, trusted peer IP addresses via network policy, isolating the gobgp workload in its own network segment with strict ingress filtering, and gating any internet-facing BGP exposure behind a firewall rule that allows only explicitly peered AS neighbors. For customers with auto-remediation enabled, the full rebuild-regression-PR flow will execute automatically once a fix version is published, with no manual triage step required.
- n/a / n/an/a
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L