Cyber Resilience

CVE-2026-41642

HighPublic PoC

Published: 07 May 2026

Published
07 May 2026
Modified
07 May 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0006 19.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-41642 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Osrg Gobgp. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 19.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

GoBGP is an open source Border Gateway Protocol (BGP) implementation in the Go Programming Language. In version 4.3.0, a remote Denial of Service (DoS) vulnerability exists in GoBGP due to a nil pointer dereference. When a malformed BGP UPDATE message…

more

contains an unrecognized Path Attribute marked as "Well-known," the daemon fails to interrupt the message handling flow. This results in an illegal memory access and a full process crash (panic). This issue has been patched in version 4.4.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Malformed BGP UPDATE triggers nil dereference crash in GoBGP daemon, directly enabling remote endpoint DoS via application exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-42285Same product: Osrg Gobgp
CVE-2026-30405Same product: Osrg Gobgp
CVE-2026-41643Same product: Osrg Gobgp
CVE-2026-7736Same product: Osrg Gobgp
CVE-2026-7735Same product: Osrg Gobgp
CVE-2026-40413Shared CWE-476
CVE-2025-57155Shared CWE-476
CVE-2026-28390Shared CWE-476
CVE-2026-23952Shared CWE-476
CVE-2025-57156Shared CWE-476

Affected Assets

osrg
gobgp
4.3.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References