CVE-2026-42285

Name of the Vulnerable Software and Affected Versions GoBGP versions prior to 4.5.0

Description An unauthenticated remote BGP peer can cause a fatal panic and complete loss of service availability by sending a specially crafted BGP UPDATE message. When the server receives a message with inconsistent attribute lengths, it improperly handles the internal state transition to a withdraw action. This leads to a nil pointer dereference—a situation where the software attempts to access a memory location that does not exist—within the AdjRib.Update() function. The issue originates from the interaction between the BGP message decoding logic and the Adj-RIB table management, specifically when the handleUpdate function processes malformed attributes.

Recommendations Update to version 4.5.0.