Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionGitHub Advisory
Zserio is a framework for serializing structured data with a compact and efficient way with low overhead. Prior to 2.18.1, in BitStreamReader.h readBytes() / readString(), the setBitPosition() bounds check receives the overflowed value and is completely bypassed. The code then reads len bytes (512 MB) from a buffer that is only a few bytes long, causing a segmentation fault. This vulnerability is fixed in 2.18.1.
AnalysisAI
Integer overflow in Zserio serialization framework versions before 2.18.1 enables remote denial of service via network-accessible deserialization endpoints. Attackers can send crafted serialized data that triggers arithmetic overflow in BitStreamReader's setBitPosition() bounds check, causing the parser to read 512 MB from a buffer only a few bytes long and crash the process with segmentation fault. EPSS data not available, no active exploitation confirmed, but remote unauthenticated attack vector (CVSS AV:N/PR:N) makes this immediately exploitable against any application accepting untrusted Zserio-serialized input over network interfaces.
Technical ContextAI
Zserio is a serialization framework (similar to Protocol Buffers or Apache Thrift) designed for compact binary encoding with low overhead. The vulnerability exists in BitStreamReader.h's readBytes() and readString() methods, which handle deserialization of byte arrays and strings from the binary stream. These methods use setBitPosition() to validate buffer boundaries before reading. The CWE-190 integer overflow occurs when calculating bit positions - the arithmetic overflows, wrapping to a small value that bypasses the bounds check. The code then attempts to read the original large length value (up to 512 MB according to the description) from a buffer that may only contain a few bytes, causing memory access violations. This is a classic example of TOCTOU (time-of-check-time-of-use) failure where the checked value differs from the used value due to integer wraparound.
RemediationAI
Upgrade to Zserio version 2.18.1 or later, which includes the fix for the integer overflow in BitStreamReader bounds checking. The patch is available through the Ndsev GitHub repository (https://github.com/ndsev/zserio). If immediate upgrade is not feasible, implement compensating controls by restricting deserialization endpoints to accept Zserio input only from authenticated and trusted sources - specifically, remove network exposure of any API endpoints accepting raw Zserio binary data from the internet or untrusted networks. Additional defense-in-depth: deploy resource limits (memory caps, request size limits) in application containers to contain denial-of-service impact from segmentation faults, though this does not prevent the crash itself. Validate Zserio schema definitions to minimize use of unbounded byte arrays or strings where fixed-size alternatives suffice. Monitor application crash logs for segmentation faults in BitStreamReader code paths as potential exploitation indicators. No workaround fully mitigates the vulnerability without upgrading.
Same weakness CWE-190 – Integer Overflow or Wraparound
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25593