CVE-2026-42285
Published: 07 May 2026
Summary
CVE-2026-42285 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Osrg Gobgp. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 41.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-28355
Vulnerability details
GoBGP is an open source Border Gateway Protocol (BGP) implementation in the Go Programming Language. In version 4.4.0, an unauthenticated remote BGP peer can trigger a fatal panic in GoBGP by sending a specially crafted BGP UPDATE message. When the…
more
server receives a message with inconsistent attribute lengths, it improperly handles the internal state transition to a "withdraw" action, leading to a nil pointer dereference in the AdjRib.Update function. This causes the entire GoBGP process to crash, resulting in a complete loss of service availability. This issue has been patched in version 4.5.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Crafted BGP UPDATE triggers nil dereference crash in exposed BGP service, directly enabling application exploitation for endpoint DoS.
CVEs Like This One
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.