Cyber Resilience

CVE-2026-26514

HighPublic PoC

Published: 04 March 2026

Published
04 March 2026
Modified
05 March 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0021 42.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26514 is a high-severity Argument Injection (CWE-88) vulnerability in Xddxdd Bird-Lg-Go. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-26514 is an Argument Injection vulnerability (CWE-88) in the bird-lg-go project, a Go-language implementation of a BGP looking glass, affecting versions prior to commit 6187a4e. The issue resides in the traceroute module, which relies on shlex.Split to parse user-supplied input without proper validation. This allows attackers to inject arbitrary command-line flags, such as -w or -q, through the q parameter.

Remote, unauthenticated attackers can exploit this vulnerability over the network with low complexity, as indicated by its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). By crafting malicious q parameter values, attackers can manipulate the traceroute command to exhaust system resources, resulting in a Denial of Service (DoS) condition that disrupts service availability.

Mitigation is addressed in commit 6187a4e3afce6d8c29568f8c72ca497d1f5a2b56, available via the project's GitHub repository, which resolves the parsing flaw. Additional details are documented in GitHub issue #136. Security practitioners should update to this commit or later and review deployments of bird-lg-go for exposure.

EU & UK References

Vulnerability details

An Argument Injection vulnerability exists in bird-lg-go before commit 6187a4e. The traceroute module uses shlex.Split to parse user input without validation, allowing remote attackers to inject arbitrary flags (e.g., -w, -q) via the q parameter. This can be exploited to…

more

cause a Denial of Service (DoS) by exhausting system resources.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote unauthenticated argument injection in public-facing bird-lg-go (traceroute module) directly enables exploitation of public-facing applications (T1190) to achieve application/system DoS via crafted flags that exhaust resources (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-44193Shared CWE-88
CVE-2026-22582Shared CWE-88
CVE-2026-26194Shared CWE-88
CVE-2024-47516Shared CWE-88
CVE-2026-2298Shared CWE-88
CVE-2025-70327Shared CWE-88
CVE-2026-31230Shared CWE-88
CVE-2025-21613Shared CWE-88
CVE-2026-45158Shared CWE-88
CVE-2026-22583Shared CWE-88

Affected Assets

xddxdd
bird-lg-go
≤ 1.4.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the argument injection vulnerability by requiring validation of user-supplied inputs like the 'q' parameter before parsing with shlex.Split.

prevent

Ensures timely flaw remediation by updating bird-lg-go to commit 6187a4e or later, eliminating the parsing vulnerability.

preventdetect

Mitigates the DoS impact of resource exhaustion from injected traceroute flags by implementing denial-of-service protections.

References