CVE-2026-26514
Published: 04 March 2026
Summary
CVE-2026-26514 is a high-severity Argument Injection (CWE-88) vulnerability in Xddxdd Bird-Lg-Go. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-26514 is an Argument Injection vulnerability (CWE-88) in the bird-lg-go project, a Go-language implementation of a BGP looking glass, affecting versions prior to commit 6187a4e. The issue resides in the traceroute module, which relies on shlex.Split to parse user-supplied input without proper validation. This allows attackers to inject arbitrary command-line flags, such as -w or -q, through the q parameter.
Remote, unauthenticated attackers can exploit this vulnerability over the network with low complexity, as indicated by its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). By crafting malicious q parameter values, attackers can manipulate the traceroute command to exhaust system resources, resulting in a Denial of Service (DoS) condition that disrupts service availability.
Mitigation is addressed in commit 6187a4e3afce6d8c29568f8c72ca497d1f5a2b56, available via the project's GitHub repository, which resolves the parsing flaw. Additional details are documented in GitHub issue #136. Security practitioners should update to this commit or later and review deployments of bird-lg-go for exposure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9411
Vulnerability details
An Argument Injection vulnerability exists in bird-lg-go before commit 6187a4e. The traceroute module uses shlex.Split to parse user input without validation, allowing remote attackers to inject arbitrary flags (e.g., -w, -q) via the q parameter. This can be exploited to…
more
cause a Denial of Service (DoS) by exhausting system resources.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated argument injection in public-facing bird-lg-go (traceroute module) directly enables exploitation of public-facing applications (T1190) to achieve application/system DoS via crafted flags that exhaust resources (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the argument injection vulnerability by requiring validation of user-supplied inputs like the 'q' parameter before parsing with shlex.Split.
Ensures timely flaw remediation by updating bird-lg-go to commit 6187a4e or later, eliminating the parsing vulnerability.
Mitigates the DoS impact of resource exhaustion from injected traceroute flags by implementing denial-of-service protections.