CVE-2026-41643

Name of the Vulnerable Software and Affected Versions GoBGP versions prior to 4.3.0

Description A remote Denial of Service (DoS) issue exists where a malformed BGP UPDATE message can trigger a runtime error resulting in an index out of range panic. This occurs during the processing of 4-byte AS attributes within the UpdatePathAttrs4ByteAs() function located in internal/pkg/table/message.go. When a BGP UPDATE message contains both an AS PATH and an AS4 PATH attribute, and the AS4 PATH (Type 17) appears before the AS PATH (Type 2) and is malformed, the software attempts to remove the AS4 PATH from the msg.PathAttributes slice. This deletion causes subsequent attributes to shift left, but the function continues to use a stale index to update the AS PATH, leading to a process crash.

Recommendations Update to version 4.3.0.