CVE-2026-26514

Name of the Vulnerable Software and Affected Versions bird-lg-go versions prior to commit 6187a4e

Description A flaw exists in the traceroute module of bird-lg-go that allows for argument injection. The shlex.Split function is used to process user-supplied input without proper validation. This allows attackers to inject arbitrary flags, such as -w and -q, through the q parameter. Successful exploitation can lead to a Denial of Service (DoS) by consuming system resources. The vulnerable parameter is q.

Recommendations Update bird-lg-go to commit 6187a4e or a later version.