GHSA-gjrg-jjr3-56cm: GoBGP: BGP OPEN capability parser may read capability values outside declared CapLen boundaries
Summary
GoBGP contains a BGP OPEN capability parsing issue where several concrete capability decoders may parse data from the full remaining capability buffer instead of the slice bounded by the declared capability length, CapLen.
A malformed BGP OPEN message can cause bytes from a following capability to be interpreted as part of the current capability. The most security-relevant case is the 4-octet AS capability, where a capability with CapLen == 0 may cause the parser to read bytes from the following capability as the 4-octet AS value. This parsed value may later affect peer AS validation during BGP session establishment.
Details
The issue is in the BGP OPEN capability parser under:
- pkg/packet/bgp/bgp.go
- pkg/packet/bgp/validate.go
-
The BGP OPEN optional parameter capability format includes a capability code, a capability length field, and a capability value. Each concrete capability decoder should only parse bytes inside the declared capability value boundary.
In affected versions, the generic capability parser records the declared CapLen, but several concrete capability decoders continue parsing from the full remaining capability buffer after advancing past the two-byte capability header. Conceptually, the vulnerable pattern is:
data = data[2:]
// decoder reads from data without first limiting it to CapLen
PoC
The following parser-level proof of concept demonstrates the issue without requiring a full BGP session or a running bgpd instance.
The malformed capability uses:
- Capability Code: 65 (BGP_CAP_FOUR_OCTET_AS_NUMBER)
- Declared CapLen: 0
- Four following bytes: 00 00 fd e8
Although the capability declares an empty value, affected versions parse the following four bytes as the 4-octet AS value 65000.
Impact
A remote peer that can send a malformed BGP OPEN message to a GoBGP instance may cause capability values to be parsed from outside their declared CapLen boundaries.
In the 4-octet AS capability case, this may affect:
- peer AS validation;
- cap
Details
Original advisory: https://github.com/advisories/GHSA-gjrg-jjr3-56cm
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-49837 | coverage & exploitation status | NVD · CVE.org |
More from GitHub Security Advisories
- criticalGHSA-g936-7jqj-mwv8: TSDProxy: Internal proxy auth token forwarded to backend services enables management API …2026-07-10
- highGHSA-fpg8-7664-jc5q: melange: Incomplete package integrity verification allows data section substitution2026-07-10
- mediumGHSA-48rx-c7pg-q66r: Excon does not redact additional sensitive/risky headers when following redirects2026-07-10
- highGHSA-h4g2-xfmw-q2c9: Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enab…2026-07-10
- mediumGHSA-rqq5-2gf9-4w4q: Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when giv…2026-07-10