| Name | CVE-2025-43970 |
| Description | An issue was discovered in GoBGP before 3.35.0. pkg/packet/mrt/mrt.go does not properly check the input length, e.g., by ensuring that there are 12 bytes or 36 bytes (depending on the address family). |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| gobgp (PTS) | bullseye | 2.25.0-2 | vulnerable |
| bookworm | 3.10.0-1 | vulnerable |
| forky, sid, trixie | 3.36.0-2 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| gobgp | source | (unstable) | 3.35.0-1 | | | |
Notes
[bookworm] - gobgp <no-dsa> (Minor issue)
[bullseye] - gobgp <postponed> (Limited support, minor issue, DoS, follow bookworm DSAs/point-releases)
Fixed by: https://github.com/osrg/gobgp/commit/5153bafbe8dbe1a2f02a70bbf0365e98b80e47b0 (v3.35.0)