CVE-2026-41642

Name of the Vulnerable Software and Affected Versions GoBGP versions prior to 4.4.0

Description A remote Denial of Service (DoS) issue exists due to a nil pointer dereference. When a malformed BGP UPDATE message contains an unrecognized Path Attribute marked as "Well-known," the daemon fails to interrupt the message handling flow. This leads to an illegal memory access and a full process crash (panic) instead of simply closing the affected session. The issue is located in the Finite State Machine (FSM) message handling loop within the recvMessageloop() function in the pkg/server/fsm.go file.

Recommendations Update to version 4.4.0.