Primary

Context

osrg GoBGP Out-of-Bounds Read Vulnerability in RTR Packet Parsing

Vulnerability

A vulnerability allowing out-of-bounds read has been identified in osrg GoBGP versions up to 3.37.0. The issue arises in the SplitRTR function within pkg/packet/rtr/rtr.go, where the code improperly handles input data, leading to potential memory access violations. This vulnerability can be exploited remotely, although the attack's complexity is considered high.

Impact

Exploitation of this vulnerability causes a runtime panic due to invalid memory access, which can disrupt the application's normal operation.

Reproduction

The vulnerability can be reproduced by sending a 1-byte input to the SplitRTR function in the RTR packet processing module. This input length is insufficient, causing the function to access memory out of bounds, specifically at data[1], which triggers a panic.

Remediation

Users are advised to update to the patched version of osrg GoBGP, which is available on the project's GitHub repository.

Added: Jul 12, 2025, 7:18 AM

Updated: Jul 12, 2025, 7:18 AM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

2.5

exploitability

9.3

remediation

7.7

relevance

0.2

threat

4.8

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

2.5

exploitability

9.3

remediation

7.7

relevance

0.2

threat

4.8

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

osrg GoBGP Out-of-Bounds Read Vulnerability in RTR Packet Parsing

Vulnerability

Impact

Reproduction

Remediation

Affected Products

osrg GoBGP

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating