Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
The msgpack decoder fails to properly validate the input buffer length when processing truncated fixext data (format codes 0xd4-0xd8). This can lead to an out-of-bounds read and a runtime panic, allowing a denial of service attack.
AnalysisAI
Truncated msgpack fixext format data (codes 0xd4-0xd8) decoded by shamaton/msgpack library versions across v1, v2, and v3 fail to validate input buffer boundaries, triggering out-of-bounds memory reads and runtime panics that enable denial of service. Remote attackers can craft malformed msgpack payloads to crash applications using affected library versions without requiring authentication or user interaction.
Technical ContextAI
The msgpack binary serialization format defines fixed extension (fixext) types using format codes 0xd4 through 0xd8, each with predefined payload sizes. The shamaton/msgpack Go library decoder processes these types but does not properly verify that sufficient bytes remain in the input buffer before attempting to read the expected payload length. This is a classic buffer bounds-checking failure (CWE category: improper input validation). The affected CPE entries indicate all major versions of the library are impacted: cpe:2.3:a:github.com/shamaton/msgpack, cpe:2.3:a:github.com/shamaton/msgpack/v2, and cpe:2.3:a:github.com/shamaton/msgpack/v3. The root cause is the decoder's assumption that the input buffer contains complete msgpack frames without validation, leading to attempted reads beyond allocated memory regions.
RemediationAI
Upgrade to a patched version of shamaton/msgpack when made available by the maintainers. In the interim, applications should implement input validation and size limits on msgpack data before passing to the decoder, enforce strict read timeouts to detect stalled parsing, and restrict msgpack deserialization to trusted sources only where feasible. Monitor the official GitHub repository (github.com/shamaton/msgpack) and the Go vulnerability database (golang/vulndb) for patched release announcements. If immediate patching is not possible, consider using an alternative msgpack library that has been audited for buffer validation or temporarily disabling msgpack deserialization features in production until a fix is available.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Buffer Overflow
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16343
GHSA-h9q6-hc68-35rp