Cyber Posture

CVE-2026-7735

High

Published: 04 May 2026

Published
04 May 2026
Modified
06 May 2026
KEV Added
Patch
CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0007 21.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-7735 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Osrg Gobgp. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates the buffer overflow by requiring timely flaw remediation through upgrading GoBGP to the patched version 4.4.0.

SI-10 Information Input Validation good match
prevent

Requires validation of BGP packet inputs at the AIGP attribute parser to block malformed data causing the buffer overflow.

SI-16 Memory Protection partial match
prevent

Implements memory safeguards like ASLR and DEP to reduce exploitability of the buffer overflow in PathAttributeAigp.DecodeFromBytes.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Buffer overflow in remotely accessible BGP packet parser (AIGP attribute handling) directly enables unauthenticated remote exploitation of a network-exposed routing service.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A vulnerability was found in osrg GoBGP up to 4.3.0. Affected is the function PathAttributeAigp.DecodeFromBytes of the file pkg/packet/bgp/bgp.go of the component AIGP Attribute Parser. Performing a manipulation results in buffer overflow. It is possible to initiate the attack remotely.…

more

Upgrading to version 4.4.0 is able to address this issue. The patch is named 51ad1ada06cb41ce47b7066799981816f50b7ced. The affected component should be upgraded.

Deeper analysisAI

CVE-2026-7735 is a buffer overflow vulnerability affecting osrg GoBGP versions up to 4.3.0. The flaw exists in the PathAttributeAigp.DecodeFromBytes function within the file pkg/packet/bgp/bgp.go, specifically in the AIGP Attribute Parser component. It is linked to CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-120 (Buffer Copy without Checking Size of Input).

An unauthenticated attacker with network access can exploit this vulnerability remotely with low complexity and no user interaction required. Manipulation of BGP packets triggers the buffer overflow, enabling limited impacts on confidentiality, integrity, and availability, as reflected in its CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

Advisories recommend upgrading to GoBGP version 4.4.0, which resolves the issue through patch commit 51ad1ada06cb41ce47b7066799981816f50b7ced. Additional details are available on the GoBGP GitHub repository, the commit page, the v4.4.0 release, and VulDB entries.

Details

CWE(s)
CWE-119CWE-120

Affected Products

osrg
gobgp
≤ 4.4.0

CVEs Like This One

CVE-2026-7736Same product: Osrg Gobgp
CVE-2026-30405Same product: Osrg Gobgp
CVE-2026-41643Same product: Osrg Gobgp
CVE-2026-41642Same product: Osrg Gobgp
CVE-2025-14709Shared CWE-119, CWE-120
CVE-2025-10838Shared CWE-119, CWE-120
CVE-2025-11385Shared CWE-119, CWE-120
CVE-2026-5982Shared CWE-119, CWE-120
CVE-2025-9812Shared CWE-119, CWE-120
CVE-2025-9780Shared CWE-119, CWE-120

References