Cyber Posture

CVE-2026-30405

HighPublic PoC

Published: 16 March 2026

Published
16 March 2026
Modified
07 April 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0021 43.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-30405 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Osrg Gobgp. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 43.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

SI-2 directly addresses the CVE by requiring identification, reporting, and correction of the specific flaw in GoBGP gobgpd v4.2.0 that enables resource exhaustion via crafted NEXT_HOP path attributes.

SC-5 Denial-of-service Protection good match
prevent

SC-5 implements denial-of-service protections at system boundaries to block or mitigate remote attacks using specially crafted BGP NEXT_HOP attributes.

SC-6 Resource Availability good match
prevent

SC-6 protects resource availability by limiting consumption triggered by uncontrolled processing of malformed NEXT_HOP path attributes in BGP messages.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

CVE describes remote unauthenticated exploitation of a BGP daemon via crafted protocol messages to trigger resource exhaustion and service crash/unavailability, directly enabling T1499.004 (Application or System Exploitation) for Endpoint Denial of Service.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

An issue in GoBGP gobgpd v.4.2.0 allows a remote attacker to cause a denial of service via the NEXT_HOP path attribute

Deeper analysisAI

CVE-2026-30405 is a denial-of-service vulnerability in GoBGP's gobgpd version 4.2.0, where a remote attacker can trigger resource exhaustion via a specially crafted NEXT_HOP path attribute in BGP messages. Published on 2026-03-16, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-400 (Uncontrolled Resource Consumption).

Any unauthenticated remote attacker can exploit this vulnerability over the network with low attack complexity and no user interaction required. Exploitation leads to high-impact disruption of the gobgpd service's availability, potentially causing it to crash or become unresponsive.

Mitigation details are documented in the GitHub issue at https://github.com/osrg/gobgp/issues/3305.

Details

CWE(s)
CWE-400

Affected Products

osrg
gobgp
4.2.0

CVEs Like This One

CVE-2026-7736Same product: Osrg Gobgp
CVE-2026-41643Same product: Osrg Gobgp
CVE-2026-41642Same product: Osrg Gobgp
CVE-2026-7735Same product: Osrg Gobgp
CVE-2025-9464Shared CWE-400
CVE-2024-53458Shared CWE-400
CVE-2024-57085Shared CWE-400
CVE-2024-56921Shared CWE-400
CVE-2026-33538Shared CWE-400
CVE-2025-9280Shared CWE-400

References