CVE-2026-7736
Published: 04 May 2026
Summary
CVE-2026-7736 is a high-severity Wrap or Wraparound (CWE-191) vulnerability in Osrg Gobgp. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely remediation of known software flaws like the integer underflow in GoBGP's parseRibEntry function via patching to version 4.4.0.
Mandates validation of incoming MRT packet data to reject malformed inputs that trigger the integer underflow vulnerability.
Requires vulnerability scanning and monitoring to identify the presence of CVE-2026-7736 in deployed GoBGP instances for prompt remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated network exploitation of GoBGP's MRT parser (integer underflow on malformed input) directly maps to initial access via public-facing or remote service exploitation and to DoS impact via application-level exploitation; limited C/I/A impacts preclude RCE or post-exploitation primitives.
NVD Description
A vulnerability was determined in osrg GoBGP up to 4.3.0. Affected by this vulnerability is the function parseRibEntry of the file pkg/packet/mrt/mrt.go. Executing a manipulation can lead to integer underflow. It is possible to launch the attack remotely. Upgrading to…
more
version 4.4.0 addresses this issue. This patch is called 76d911046344a3923cbe573364197aa081944592. It is suggested to upgrade the affected component.
Deeper analysisAI
CVE-2026-7736 is an integer underflow vulnerability affecting osrg GoBGP versions up to 4.3.0. The issue resides in the parseRibEntry function within the file pkg/packet/mrt/mrt.go, which can be triggered by malformed input leading to improper handling of integer values. This flaw, classified under CWE-189 (Numeric Errors) and CWE-191 (Integer Underflow or Wraparound), carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and lack of prerequisites.
The vulnerability enables remote attackers with no authentication or user interaction to exploit it over the network. Successful exploitation could result in limited impacts to confidentiality, integrity, and availability, such as partial data disclosure, minor tampering, or denial of service through resource exhaustion tied to the underflow condition.
Mitigation is addressed by upgrading to GoBGP version 4.4.0, which incorporates the fixing commit 76d911046344a3923cbe573364197aa081944592. Official resources, including the GoBGP GitHub repository, release notes for v4.4.0, and the specific patch commit, confirm that updating the affected component resolves the issue.
Details
- CWE(s)