CVE-2026-7734

MEDIUM 5.3

osrg GoBGP SRv6 L3 Service prefix_sid.go SRv6L3ServiceAttribute.DecodeFromBytes denial of service

CVSS Score

5.3

EPSS Score

0.0%

EPSS Percentile

0th

A vulnerability has been found in osrg GoBGP up to 4.3.0. This impacts the function SRv6L3ServiceAttribute.DecodeFromBytes of the file pkg/packet/bgp/prefix_sid.go of the component SRv6 L3 Service. Such manipulation of the argument data leads to denial of service. The attack may be performed from remote. Upgrading to version 4.4.0 will fix this issue. The name of the patch is f9f7b55ec258e514be0264871fa645a2c3edad11. You should upgrade the affected component.

CWE	CWE-404
Vendor	osrg
Product	gobgp
Published	May 4, 2026

Stay Ahead of the Next One

Get instant alerts for osrg gobgp

Be the first to know when new medium vulnerabilities affecting osrg gobgp are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

osrg / GoBGP

4.0 4.1 4.2 4.3.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

vuldb.com: https://vuldb.com/vuln/360909 vuldb.com: https://vuldb.com/vuln/360909/cti vuldb.com: https://vuldb.com/submit/807581 github.com: https://github.com/osrg/gobgp/commit/f9f7b55ec258e514be0264871fa645a2c3edad11 github.com: https://github.com/osrg/gobgp/releases/tag/v4.4.0 github.com: https://github.com/osrg/gobgp/

Credits

🔍 rensiru (VulDB User)