What is the CVSS score of CVE-2026-33666?

CVE-2026-33666 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.0%.

Which versions of Zserio are affected by CVE-2026-33666?

CVE-2026-33666 affects Zserio serialization framework versions before 2.18.1 and enables remote denial of service attacks against any application accepting untrusted network input.

Zserio CVE-2026-33666

EUVD-2026-25593 HIGH

Integer Overflow or Wraparound (CWE-190)

2026-04-24 GitHub_M

Buffer Overflow Integer Overflow

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Re-analysis Queued

Apr 24, 2026 - 19:22 vuln.today

cvss_changed

Analysis Generated

Apr 24, 2026 - 19:00 vuln.today

EUVD ID Assigned

Apr 24, 2026 - 18:45 euvd

EUVD-2026-25593

Analysis Generated

Apr 24, 2026 - 18:45 vuln.today

CVE Published

Apr 24, 2026 - 18:21 nvd

HIGH 7.5

DescriptionNVD

Zserio is a framework for serializing structured data with a compact and efficient way with low overhead. Prior to 2.18.1, in BitStreamReader.h readBytes() / readString(), the setBitPosition() bounds check receives the overflowed value and is completely bypassed. The code then reads len bytes (512 MB) from a buffer that is only a few bytes long, causing a segmentation fault. This vulnerability is fixed in 2.18.1.

AnalysisAI

Integer overflow in Zserio serialization framework versions before 2.18.1 enables remote denial of service via network-accessible deserialization endpoints. Attackers can send crafted serialized data that triggers arithmetic overflow in BitStreamReader's setBitPosition() bounds check, causing the parser to read 512 MB from a buffer only a few bytes long and crash the process with segmentation fault. …

RemediationAI

Within 24 hours: inventory all applications and services using Zserio framework and identify those exposed to untrusted network input; document current Zserio versions in use. Within 7 days: implement network segmentation or input validation controls to restrict deserialization of untrusted Zserio data; consider disabling remote Zserio endpoints if operationally feasible. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-33666 vulnerability details – vuln.today

Back

Zserio CVE-2026-33666

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code