CVE-2026-49837

MEDIUMPre-NVD 5.95.9
EchelonGraph scoreLOW confidence

This medium-severity CVE scores 5.9 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m
5.9
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • Lower severity and no public exploit yet
CISA-KEV: Not listedEPSS: CVSS: 5.9Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

GoBGP: BGP OPEN capability parser may read capability values outside declared CapLen boundaries

Summary

GoBGP contains a BGP OPEN capability parsing issue where several concrete capability decoders may parse data from the full remaining capability buffer instead of the slice bounded by the declared capability length, CapLen. A malformed BGP OPEN message can cause bytes from a following capability to be interpreted as part of the current capability. The most security-relevant case is the 4-octet AS capability, where a capability with CapLen == 0 may cause the parser to read bytes from the following capability as the 4-octet AS value. This parsed value may later affect peer AS validation during BGP session establishment.

Details

The issue is in the BGP OPEN capability parser under:
  • pkg/packet/bgp/bgp.go
  • pkg/packet/bgp/validate.go
  • The BGP OPEN optional parameter capability format includes a capability code, a capability length field, and a capability value. Each concrete capability decoder should only parse bytes inside the declared capability value boundary.
In affected versions, the generic capability parser records the declared CapLen, but several concrete capability decoders continue parsing from the full remaining capability buffer after advancing past the two-byte capability header. Conceptually, the vulnerable pattern is: ``go data = data[2:] // decoder reads from data without first limiting it to CapLen

PoC

The following parser-level proof of concept demonstrates the issue without requiring a full BGP session or a running
bgpd instance. The malformed capability uses:
  • Capability Code: 65 (BGP_CAP_FOUR_OCTET_AS_NUMBER)
  • Declared CapLen: 0
  • Four following bytes: 00 00 fd e8

Although the capability declares an empty value, affected versions parse the following four bytes as the 4-octet AS value 65000.

Impact

A remote peer that can send a malformed BGP OPEN message to a GoBGP instance may cause capability values to be parsed from outside their declared CapLen` boundaries. In the 4-octet AS capability case, this may affect:
  • peer AS validation;
  • capability negotiation;
  • interpretation of malformed OPEN messages;
  • acceptance or rejection decisions during BGP session establishment.
This issue does not appear to be arbitrary memory corruption, remote code execution, or information disclosure. It is a protocol parser boundary validation issue that can affect BGP OPEN validation semantics.

CVSS v3
5.9
EG Score
5.9(low)
EPSS
KEV
Not listed

Published

July 9, 2026

Last Modified

July 9, 2026

Vendor Advisories for CVE-2026-49837(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Data Freshness Timeline

(refreshed 6× in last 7d / 6× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-15 02:42 UTCEG score recompute
  2. 2026-07-14 02:05 UTCEG score recompute
  3. 2026-07-13 01:30 UTCEG score recompute
  4. 2026-07-12 00:55 UTCEG score recompute
  5. 2026-07-11 00:21 UTCEG score recompute
  6. 2026-07-09 23:46 UTCEG score recompute

Frequently asked(4)

What is CVE-2026-49837?
CVE-2026-49837 is a medium vulnerability published on July 9, 2026. GoBGP: BGP OPEN capability parser may read capability values outside declared CapLen boundaries Summary GoBGP contains a BGP OPEN capability parsing issue where several concrete capability decoders may parse data from the full remaining capability buffer instead of the slice bounded by the declared…
When was CVE-2026-49837 disclosed?
CVE-2026-49837 was first published in the National Vulnerability Database on July 9, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
What is the CVSS score of CVE-2026-49837?
CVE-2026-49837 has a CVSS v4.0 base score of 5.9 (CNA self-assessment; NVD's own analysis pending). The EG score is currently aggregating — additional source signals are being incorporated as they become available..
How do I remediate CVE-2026-49837?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-49837, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-49837

Explore →

Is Your Infrastructure Affected by CVE-2026-49837?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.