Skip to main content

Github Com Buger Jsonparser CVE-2026-32285

| EUVDEUVD-2026-16345 HIGH
Improper Validation of Array Index (CWE-129)
2026-03-26 Go GHSA-6g7g-w4f8-9c9x
7.5
CVSS 3.1 · Vendor: Go
Share

Severity by source

Vendor (Go) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (Go).

CVSS VectorVendor: Go

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Re-analysis Queued
Apr 21, 2026 - 15:52 vuln.today
cvss_changed
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 26, 2026 - 20:01 euvd
EUVD-2026-16345
Analysis Generated
Mar 26, 2026 - 20:01 vuln.today
CVE Published
Mar 26, 2026 - 19:40 nvd
HIGH 7.5

DescriptionCVE.org

The Delete function fails to properly validate offsets when processing malformed JSON input. This can lead to a negative slice index and a runtime panic, allowing a denial of service attack.

AnalysisAI

The jsonparser library for Go fails to validate slice offsets when processing malformed JSON, enabling remote denial of service through crafted input that triggers negative array indices and runtime panics. The GitHub buger/jsonparser project across all versions is affected. Attackers can send specially crafted JSON payloads to applications using vulnerable versions, causing immediate service termination without requiring authentication or user interaction.

Technical ContextAI

The jsonparser library (CPE: cpe:2.3:a:github.com/buger/jsonparser:github.com/buger/jsonparser:*:*:*:*:*:*:*:*) is a Go package for high-performance JSON parsing and value extraction. The vulnerability resides in the Delete function's offset calculation logic, which fails to properly validate array slice boundaries before accessing or manipulating JSON data structures. When the Delete function processes malformed JSON input-particularly payloads with unexpected structural anomalies-it can calculate negative slice indices. This violation of Go's slice semantics causes an immediate runtime panic in the affected function, crashing the application process. The root cause is an input validation failure (CWE classification not provided in source data, but consistent with improper input handling and bounds checking deficiencies).

RemediationAI

Upgrade the jsonparser library to the latest patched version available from the GitHub repository (https://github.com/buger/jsonparser). Exact patch version information is not provided in available data; consult the official Go vulnerability database entry at https://pkg.go.dev/vuln/GO-2026-4514 for the specific fixed release. As an interim mitigation, implement strict JSON schema validation and sanitization of all untrusted JSON input before passing it to the Delete function; use a JSON schema validator or alternative parsing library with known bounds-checking protections. Monitor application logs for runtime panics mentioning the Delete function and consider rate-limiting or blocking requests that trigger these errors until patches are deployed. If immediate patching is impossible, isolate vulnerable services behind a reverse proxy that validates JSON structure before forwarding.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Micro 5.2 Fixed

Share

CVE-2026-32285 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy