CVE-2026-7736 Overview
CVE-2026-7736 is an integer underflow vulnerability in osrg GoBGP versions up to 4.3.0. The flaw resides in the parseRibEntry function within pkg/packet/mrt/mrt.go, which handles Multi-Threaded Routing Toolkit (MRT) Routing Information Base (RIB) entry parsing. An attacker can trigger the underflow remotely by submitting crafted MRT data, causing a uint16 calculation to wrap and produce out-of-bounds slice operations. The maintainers addressed the issue in version 4.4.0 via commit 76d911046344a3923cbe573364197aa081944592. The weakness is classified under CWE-189 (Numeric Errors).
Critical Impact
A remote attacker can supply malformed MRT data that triggers an integer underflow in parseRibEntry, leading to a denial-of-service condition or memory corruption against any service consuming untrusted MRT input via GoBGP.
Affected Products
- osrg GoBGP versions up to and including 4.3.0
- Applications and services importing the pkg/packet/mrt package from affected GoBGP releases
- Border Gateway Protocol (BGP) tooling that processes third-party MRT route dumps using GoBGP
Discovery Timeline
- 2026-05-04 - CVE-2026-7736 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-7736
Vulnerability Analysis
GoBGP is a Go implementation of BGP used for routing services and as a parsing library for MRT-format route archives. The parseRibEntry function reads a 16-bit total length field from incoming MRT data, then advances its slice cursor before iterating path attributes. Without a bounds check between the declared length and the remaining buffer, the loop logic can decrement an unsigned integer past zero. The resulting underflow forces the parser to read beyond the buffer or loop indefinitely on attacker-controlled data. Because BGP services and offline MRT analysis tools commonly accept routing data from external peers and feeds, the input is reachable across the network.
Root Cause
The root cause is the absence of a length validation between the parsed totalLen field and the available bytes in the data slice. The code trusts the attacker-supplied length to fit within the remaining buffer. When len(data) < totalLen, the subsequent slice arithmetic produces a uint16 underflow inside the path attribute loop. This is a classic numeric error pattern in MRT/BGP parsers where length-prefixed fields are not cross-validated against actual buffer size.
Attack Vector
Exploitation requires no authentication or user interaction. An attacker delivers a malformed MRT record to any consumer of GoBGP's MRT parser. Realistic delivery paths include hostile BGP peers exporting MRT dumps, malicious route collector archives, or supply-chain delivery of crafted .mrt files to operators running offline analysis. Successful exploitation produces a denial of service in the parsing process.
// Patch from pkg/packet/mrt/mrt.go - adds bounds check before path attribute loop
totalLen := binary.BigEndian.Uint16(data[:2])
data = data[2:]
+ if len(data) < int(totalLen) {
+ return nil, nil, errNotAllRibEntryBytesAvailable
+ }
options := &bgp.MarshallingOption{
MRT: true,
}
Source: GoBGP commit 76d9110
Detection Methods for CVE-2026-7736
Indicators of Compromise
- Unexpected crashes or panics in Go processes that link the github.com/osrg/gobgp/pkg/packet/mrt package
- BGP daemons or MRT analysis tools terminating with runtime error: slice bounds out of range stack traces referencing parseRibEntry
- Repeated malformed MRT TABLE_DUMP_V2 messages from a single peer or feed source
Detection Strategies
- Inventory Go binaries and container images for vulnerable GoBGP versions using software composition analysis against the module path github.com/osrg/gobgp at versions ≤ 4.3.0
- Inspect BGP and MRT collector logs for parser errors, panics, or restart loops correlated to specific peers
- Capture and replay suspicious MRT files in an isolated environment to confirm crash behavior before exposing production parsers
Monitoring Recommendations
- Alert on abnormal restart counts for BGP services and MRT processing pipelines
- Track ingress sources of MRT data and apply allow-lists for trusted route collectors
- Monitor process memory and CPU on hosts performing MRT analysis for anomalies suggesting parser abuse
How to Mitigate CVE-2026-7736
Immediate Actions Required
- Upgrade GoBGP to version 4.4.0 or later, which includes commit 76d911046344a3923cbe573364197aa081944592
- Rebuild and redeploy any downstream Go applications that vendor or import the affected pkg/packet/mrt package
- Restrict MRT ingest to trusted sources until patched binaries are in production
Patch Information
The fix is available in the GoBGP v4.4.0 release. The relevant change adds an explicit length check ensuring len(data) >= int(totalLen) before entering the path attribute loop, returning errNotAllRibEntryBytesAvailable when the buffer is short. Operators using Go modules should update with go get github.com/osrg/gobgp/v4@v4.4.0 and rebuild affected binaries.
Workarounds
- Disable or isolate MRT parsing functionality if upgrading is not immediately feasible
- Filter inbound MRT data through size and structural validation at a network proxy before it reaches GoBGP
- Run MRT analysis tools in sandboxed processes with automatic restart and resource limits to contain crashes
# Update GoBGP via Go modules in your project
go get github.com/osrg/gobgp/v4@v4.4.0
go mod tidy
go build ./...
# Verify the installed version
gobgpd --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
