CVE-2026-49838

MEDIUMPre-NVD 5.95.9
EchelonGraph scoreLOW confidence

This medium-severity CVE scores 5.9 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m
5.9
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • Lower severity and no public exploit yet
CISA-KEV: Not listedEPSS: CVSS: 5.9Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

GoBGP confederation validation panics on empty AS_PATH attribute

Found through variant analysis based on CVE-2026-41643

Summary

GoBGP accepts a zero-length AS_PATH during UPDATE decoding and later panics while validating that attribute for a confederation eBGP peer. The vulnerable path is in the BGP UPDATE validator: a malformed UPDATE that should be rejected as a malformed AS_PATH instead reaches an unchecked p.Value[0] access, allowing a configured confederation eBGP peer to trigger a denial of service.

Affected

  • Project: gobgp
  • Repo: https://github.com/osrg/gobgp
  • Pinned ref: c24629411ba49f160d9dc09126f418218127e016

Root cause

An established peer's receive path reads BGP bytes from the network connection in pkg/server/fsm.go:1267, parses UPDATE bodies through the BGP message decoder, and validates decoded UPDATEs with peer state at pkg/server/fsm.go:1849. The UPDATE decoder walks the path-attribute list in pkg/packet/bgp/bgp.go:15773 and selects the concrete attribute parser from the attacker-controlled attribute type at pkg/packet/bgp/bgp.go:15855. For AS_PATH, PathAttributeAsPath.DecodeFromBytes returns nil when the decoded attribute length is zero (pkg/packet/bgp/bgp.go:11533, pkg/packet/bgp/bgp.go:11538), leaving p.Value empty rather than reporting a malformed attribute. Validation then dispatches each decoded attribute through ValidateAttribute (pkg/packet/bgp/validate.go:34); in the confederation eBGP branch, pkg/packet/bgp/validate.go:162 indexes p.Value[0] before checking that any AS_PATH segment was decoded. The eBGP and confederation guards are normal peer-state gates: pkg/config/oc/util.go:127 defines eBGP as peer AS differing from local AS, pkg/config/oc/util.go:116 checks confederation membership, and pkg/server/fsm.go:740 and pkg/server/fsm.go:741 copy those results into the FSM state used by the validator.

Reproduction

INT-bgp-gobgp-confed-empty-aspath-panic.zip

bash ./poc/run.sh

TRIGGERED: confed empty AS_PATH validation panic: runtime error: index out of range

The TRIGGERED line is the recovered panic fingerprint from the confederation eBGP validation path after a zero-length AS_PATH has decoded successfully. A build failure or any output without that fingerprint would not demonstrate this bug, because the signal is tied to the unchecked AS_PATH segment access.

Impact

A remote unauthenticated peer that is configured as a confederation eBGP neighbor can establish a BGP session and send a single malformed UPDATE containing a syntactically valid AS_PATH attribute header with zero value length. Because the decode path does not turn that empty AS_PATH into a MessageError, normal malformed-attribute handling is bypassed and validation panics before GoBGP can return a BGP NOTIFICATION. The demonstrated effect is denial of service for the receive goroutine and peer session, with potential process termination if the panic is not recovered by the runtime path; no memory corruption, data disclosure, authentication bypass, or code execution is claimed.

Suggested fix

``001-fix.diff diff --git a/pkg/packet/bgp/validate.go b/pkg/packet/bgp/validate.go index 2237afb..f07f4fa 100644 --- a/pkg/packet/bgp/validate.go +++ b/pkg/packet/bgp/validate.go @@ -159,6 +159,9 @@ func ValidateAttribute(a PathAttributeInterface, rfs map[Family]BGPAddPathMode, case *PathAttributeAsPath: if isEBGP { if isConfed { + if len(p.Value) == 0 { + return false, NewMessageError(eCode, eSubCodeMalformedAspath, nil, "empty AS_PATH for confederation eBGP") + } if segType := p.Value[0].GetType(); segType != BGP_ASPATH_ATTR_TYPE_CONFED_SEQ { return false, NewMessageError(eCode, eSubCodeMalformedAspath, nil, fmt.Sprintf("segment type is not confederation seq (%d)", segType)) } ``

Resources

  • https://github.com/osrg/gobgp/blob/c24629411ba49f160d9dc09126f418218127e016/pkg/packet/bgp/bgp.go#L11533-L11540
  • https://github.com/osrg/gobgp/blob/c24629411ba49f160d9dc09126f418218127e016/pkg/packet/bgp/validate.go#L159-L164

CVSS v3
5.9
EG Score
5.9(low)
EPSS
KEV
Not listed

Published

July 9, 2026

Last Modified

July 9, 2026

Vendor Advisories for CVE-2026-49838(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Data Freshness Timeline

(refreshed 6× in last 7d / 6× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-15 11:30 UTCEG score recompute
  2. 2026-07-14 09:08 UTCEG score recompute
  3. 2026-07-13 06:48 UTCEG score recompute
  4. 2026-07-12 04:28 UTCEG score recompute
  5. 2026-07-11 02:07 UTCEG score recompute
  6. 2026-07-09 23:46 UTCEG score recompute

Frequently asked(4)

What is CVE-2026-49838?
CVE-2026-49838 is a medium vulnerability published on July 9, 2026. GoBGP confederation validation panics on empty AS_PATH attribute Found through variant analysis based on CVE-2026-41643 Summary GoBGP accepts a zero-length ASPATH during UPDATE decoding and later panics while validating that attribute for a confederation eBGP peer. The vulnerable path is in the BGP…
When was CVE-2026-49838 disclosed?
CVE-2026-49838 was first published in the National Vulnerability Database on July 9, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
What is the CVSS score of CVE-2026-49838?
CVE-2026-49838 has a CVSS v4.0 base score of 5.9 (CNA self-assessment; NVD's own analysis pending). The EG score is currently aggregating — additional source signals are being incorporated as they become available..
How do I remediate CVE-2026-49838?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-49838, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-49838

Explore →

Is Your Infrastructure Affected by CVE-2026-49838?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.