CVE-2026-41643 — GoBGP has Remote Denial of Service (Panic) in UpdatePathAttrs4ByteAs via Malform

Description

GoBGP is an open source Border Gateway Protocol (BGP) implementation in the Go Programming Language. Prior to version 4.3.0, a remote Denial of Service (DoS) vulnerability exists in GoBGP where a malformed BGP UPDATE message can trigger a runtime error: index out of range panic. This occurs during the processing of 4-byte AS attributes when the message structure causes an internal slice index shift that is not properly handled. This issue has been patched in version 4.3.0.

How to fix CVE-2026-41643

To remediate CVE-2026-41643, upgrade the affected package to a fixed version below.

—no fix listed
—upgrade to 4.3.0 or later

Is CVE-2026-41643 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0
from 0, < 4.3.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-41643
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2026-41643
PATCHgithub.com/osrg/gobgp
WEBgithub.com/osrg/gobgp/releases/tag/v4.3.0
WEB