Cyber Posture

CVE-2026-26514

HighPublic PoC

Published: 04 March 2026

Published
04 March 2026
Modified
05 March 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0020 41.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26514 is a high-severity Argument Injection (CWE-88) vulnerability in Xddxdd Bird-Lg-Go. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique.
Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

Remote unauthenticated argument injection in public-facing bird-lg-go (traceroute module) directly enables exploitation of public-facing applications (T1190) to achieve application/system DoS via crafted flags that exhaust resources (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

An Argument Injection vulnerability exists in bird-lg-go before commit 6187a4e. The traceroute module uses shlex.Split to parse user input without validation, allowing remote attackers to inject arbitrary flags (e.g., -w, -q) via the q parameter. This can be exploited to…

more

cause a Denial of Service (DoS) by exhausting system resources.

Deeper analysisAI

CVE-2026-26514 is an Argument Injection vulnerability (CWE-88) in the bird-lg-go project, a Go-language implementation of a BGP looking glass, affecting versions prior to commit 6187a4e. The issue resides in the traceroute module, which relies on shlex.Split to parse user-supplied input without proper validation. This allows attackers to inject arbitrary command-line flags, such as -w or -q, through the q parameter.

Remote, unauthenticated attackers can exploit this vulnerability over the network with low complexity, as indicated by its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). By crafting malicious q parameter values, attackers can manipulate the traceroute command to exhaust system resources, resulting in a Denial of Service (DoS) condition that disrupts service availability.

Mitigation is addressed in commit 6187a4e3afce6d8c29568f8c72ca497d1f5a2b56, available via the project's GitHub repository, which resolves the parsing flaw. Additional details are documented in GitHub issue #136. Security practitioners should update to this commit or later and review deployments of bird-lg-go for exposure.

Details

CWE(s)
CWE-88

Affected Products

xddxdd
bird-lg-go
≤ 1.4.1

CVEs Like This One

CVE-2026-26194Shared CWE-88
CVE-2026-22582Shared CWE-88
CVE-2026-2298Shared CWE-88
CVE-2025-70327Shared CWE-88
CVE-2026-25134Shared CWE-88
CVE-2026-24126Shared CWE-88
CVE-2025-21613Shared CWE-88
CVE-2026-22583Shared CWE-88
CVE-2026-24061Shared CWE-88
CVE-2026-40113Shared CWE-88

References