Skip to main content

Github Com Shamaton Msgpack CVE-2026-32284

| EUVDEUVD-2026-16343 HIGH
Out-of-bounds Read (CWE-125)
2026-03-26 Go GHSA-h9q6-hc68-35rp
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
5.9 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 26, 2026 - 20:01 euvd
EUVD-2026-16343
Analysis Generated
Mar 26, 2026 - 20:01 vuln.today
CVE Published
Mar 26, 2026 - 19:40 nvd
HIGH 7.5

DescriptionCVE.org

The msgpack decoder fails to properly validate the input buffer length when processing truncated fixext data (format codes 0xd4-0xd8). This can lead to an out-of-bounds read and a runtime panic, allowing a denial of service attack.

AnalysisAI

Truncated msgpack fixext format data (codes 0xd4-0xd8) decoded by shamaton/msgpack library versions across v1, v2, and v3 fail to validate input buffer boundaries, triggering out-of-bounds memory reads and runtime panics that enable denial of service. Remote attackers can craft malformed msgpack payloads to crash applications using affected library versions without requiring authentication or user interaction.

Technical ContextAI

The msgpack binary serialization format defines fixed extension (fixext) types using format codes 0xd4 through 0xd8, each with predefined payload sizes. The shamaton/msgpack Go library decoder processes these types but does not properly verify that sufficient bytes remain in the input buffer before attempting to read the expected payload length. This is a classic buffer bounds-checking failure (CWE category: improper input validation). The affected CPE entries indicate all major versions of the library are impacted: cpe:2.3:a:github.com/shamaton/msgpack, cpe:2.3:a:github.com/shamaton/msgpack/v2, and cpe:2.3:a:github.com/shamaton/msgpack/v3. The root cause is the decoder's assumption that the input buffer contains complete msgpack frames without validation, leading to attempted reads beyond allocated memory regions.

RemediationAI

Upgrade to a patched version of shamaton/msgpack when made available by the maintainers. In the interim, applications should implement input validation and size limits on msgpack data before passing to the decoder, enforce strict read timeouts to detect stalled parsing, and restrict msgpack deserialization to trusted sources only where feasible. Monitor the official GitHub repository (github.com/shamaton/msgpack) and the Go vulnerability database (golang/vulndb) for patched release announcements. If immediate patching is not possible, consider using an alternative msgpack library that has been audited for buffer validation or temporarily disabling msgpack deserialization features in production until a fix is available.

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6 Fixed
openSUSE Leap 15.5 Fixed

Share

CVE-2026-32284 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy