HarborGuard / CVE
Back to search
HIGHCVE-2026-45047Published Modified CNA GitHub_M

CVE-2026-45047: bird-lg-go: Fatal Out-of-Memory (OOM) Denial of Service via Unbounded JSON Decoding

bird-lg-go is a BIRD looking glass in Go. Prior to 1.4.5, the apiHandler (and similarly webHandlerTelegramBot) processes user-provided JSON payloads by directly using json.NewDecoder(r.Body).Decode(&request) without restricting the maximum read size. An unauthenticated remote attacker can stream an extremely large, endless JSON payload (e.g., several Gigabytes of padding) over a single TCP connection. Because Go's JSON decoder attempts to allocate memory for the entire parsed structure, this rapidly exhausts the host's physical RAM or container limits, leading to an unrecoverable fatal error: runtime: out of memory. This vulnerability is fixed in 1.4.5.

HarborGuard Analysis

HarborGuard analysis

Synopsis

An unbounded JSON decoding vulnerability in bird-lg-go allows a remote, unauthenticated attacker to exhaust all available memory on the host. By streaming an arbitrarily large JSON payload over a single TCP connection, the attacker triggers Go's runtime allocator to consume gigabytes of RAM until the process dies with a fatal out-of-memory error. Successful exploitation crashes the looking-glass service completely, causing a denial of service. A fix was published in version 1.4.5; HarborGuard tracks this advisory and a patched-image rebuild will become available the moment upstream publishes a fixed release to matched feeds.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images derived from bird-lg-go base layers. Any image containing an affected version of bird-lg-go (earlier than 1.4.5) is flagged immediately on next scan.

Available
Triage

HarborGuard scores this issue at CVSS 7.5 (HIGH) and weights it against each environment's compliance policy to determine urgency and routing. Triage tickets are delivered to the appropriate team inbox within each customer organization based on configured ownership rules for the affected image or workload.

Available
Patch

Because no upstream fix version is currently published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment version 1.4.5 or later is confirmed in the upstream feed. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will trigger automatically at that point, with no manual intervention required.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the bird-lg-go HTTP API over the network; the service exposes the vulnerable endpoint remotely over TCP.

  • AuthenticationNot required

    No credentials or session token are needed; the vulnerable apiHandler accepts unauthenticated requests.

  • Victim interactionNot required

    No user action is required; the attacker initiates the exploit entirely by sending a crafted request to the server.

  • Attack complexityDetail

    Exploitation is straightforward and condition-free: streaming an oversized JSON payload over a single connection reliably exhausts memory without requiring any race condition or special environment state.

Blast Radius

  • Crashes the bird-lg-go process with a fatal out-of-memory runtime error, taking the looking-glass service fully offline.
  • Exhausts physical RAM or container memory limits on the host, which can pressure or destabilize co-located processes and workloads sharing the same node.
  • Service recovery requires a manual or orchestrated restart, leaving the network visibility tool unavailable for the duration of the outage.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively tracked against all scanned images containing bird-lg-go versions earlier than 1.4.5. Because no upstream fix is published yet, HarborGuard re-evaluates the advisory on every ingest cycle. As soon as version 1.4.5 or a later patched release appears in upstream feeds, a rebuilt image becomes available; for customers with auto-remediation enabled, the pipeline proceeds automatically to a regression-test run and a PR opened against affected workloads. In the interim, compensating controls worth considering include network-policy rules that restrict inbound access to the bird-lg-go API endpoint to trusted source CIDRs only, container memory limits set at the pod or cgroup level to bound the blast radius of an OOM event, and egress filtering to prevent the service from being reachable from untrusted external addresses.

See how HarborGuard automates this

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
Affected Products
1
Affected packages
  • xddxdd / bird-lg-go
    < 1.4.5
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References