Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged

Permalink CVE-2026-5123

3.7 LOW

CVSS version: 3.1
Attack vector (AV):
Attack complexity (AC):
Privileges required (PR):
User interaction (UI):
Scope (S):
Confidentiality impact (C):
Integrity impact (I):
Availability impact (A):

created 2 weeks, 5 days ago

osrg GoBGP bgp.go DecodeFromBytes off-by-one

A weakness has been identified in osrg GoBGP up to 4.3.0. This impacts the function DecodeFromBytes of the file pkg/packet/bgp/bgp.go. Executing a manipulation of the argument data[1] can lead to off-by-one. The attack may be launched remotely. Attacks of this nature are highly complex. The exploitability is said to be difficult. This patch is called 67c059413470df64bc20801c46f64058e88f800f. A patch should be applied to remediate this issue.

References

VDB-354155 | osrg GoBGP bgp.go DecodeFromBytes off-by-one vdb-entrytechnical-description
VDB-354155 | CTI Indicators (IOB, IOC, IOA) signaturepermissions-required
Submit #780179 | osrg GoBGP 4.3.0 Off-by-one Error third-party-advisory
https://github.com/osrg/gobgp/pull/3342 patchissue-tracking
https://github.com/osrg/gobgp/commit/67c059413470df64bc20801c46f64058e88f800f patch
https://github.com/osrg/gobgp/ product

Affected products

GoBGP

==4.1
==4.0
==4.3.0
==4.2

Matching in nixpkgs

pkgs.gobgp

CLI tool for GoBGP

nixos-unstable 4.3.0
- nixpkgs-unstable 4.3.0
- nixos-unstable-small 4.3.0
nixos-25.11 3.37.0
- nixos-25.11-small 3.37.0
- nixpkgs-25.11-darwin 3.37.0

pkgs.gobgpd

BGP implemented in Go

nixos-unstable 4.3.0
- nixpkgs-unstable 4.3.0
- nixos-unstable-small 4.3.0
nixos-25.11 3.37.0
- nixos-25.11-small 3.37.0
- nixpkgs-25.11-darwin 3.37.0

Package maintainers

@higebu Yuya Kusakabe <yuya.kusakabe@gmail.com>