Suse
CVE-2026-35480
MEDIUM
Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
The DAG-CBOR decoder uses collection sizes declared in CBOR headers as Go preallocation hints for maps and lists. The decoder does not cap these size hints or account for their cost in its allocation budget, allowing small payloads to cause excessive memory allocation.
A CBOR map or list header can declare an arbitrarily large number of entries, causing the decoder to preallocate proportionally large backing structures before any entries are actually read. Because the allocation budget is only decremented as entries are decoded (not when sizes are declared), this cost is effectively invisible to the budget system. This is compounded by nesting: each level of a nested structure triggers its own unchecked preallocation while consuming minimal budget (one entry per parent level), so a payload under 100 bytes with 10 levels of nesting can cause over 9GB of allocation.
Schema-free decoding (i.e. using basicnode.Prototype.Any) allows arbitrary nesting depth. Schema-bound decoding limits nesting to the schema's structure, but any field typed as Any in the schema permits unconstrained nesting within that field.
The fix caps the preallocation size hint to 1024 entries and decrements the allocation budget when collection sizes are declared. The declared length is still used for entry-count validation, and collections grow dynamically as entries are decoded, so correctly-formed data is unaffected, even beyond the preallocation limit.
AnalysisAI
Denial-of-service vulnerability in go-ipld-prime DAG-CBOR decoder allows remote attackers to cause excessive memory allocation through CBOR headers declaring arbitrarily large collection sizes without preallocation caps. A malicious payload under 100 bytes with nested structures can trigger over 9GB of memory allocation, crashing applications using the library. The vulnerability affects all versions prior to v0.22.0, and while no confirmed active exploitation has been reported, the attack requires only unauthenticated network access and minimal attacker resources.
Technical ContextAI
The go-ipld-prime library (github.com/ipld/go-ipld-prime) implements CBOR (Concise Binary Object Representation) decoding with support for IPLD (InterPlanetary Linked Data) structures. The vulnerability exists in the DAG-CBOR decoder's handling of collection size hints. CBOR headers for maps and lists include a declared size parameter that the decoder previously used directly as a preallocation hint for Go's internal map and slice data structures. The root cause (CWE-770: Allocation of Resources Without Limits or Throttling) stems from two design flaws: the decoder did not cap these hints, and the allocation budget tracking mechanism only decremented cost as entries were actually decoded, not when sizes were declared. This creates a gap between declared collection size and actual memory cost. Schema-free decoding using basicnode.Prototype.Any amplifies the risk by permitting arbitrary nesting depth; even schema-bound decoding remains vulnerable when fields are typed as Any, allowing unconstrained nesting within those fields. The compounding effect of nested structures means each nesting level triggers independent, unchecked preallocation while consuming minimal budget (one entry per parent level), enabling exponential memory growth.
RemediationAI
Upgrade go-ipld-prime to v0.22.0 or later, which implements caps on preallocation size hints (limited to 1024 entries) and properly decrements the allocation budget when collection sizes are declared. The fix is available as a released version at https://github.com/ipld/go-ipld-prime/releases/tag/v0.22.0 and the upstream patch commit e43bf4a27055fe8d895671a731ee5041e2d983a9. For applications unable to update immediately, minimize exposure by restricting CBOR decoding endpoints to trusted sources, implementing external request-size limits (e.g., maximum message size in reverse proxies), and monitoring memory usage for anomalous spikes. No workaround within the library itself is available for older versions; patching is the definitive fix. Consult the GitHub Security Advisory at https://github.com/ipld/go-ipld-prime/security/advisories/GHSA-378j-3jfj-8r9f for additional context and verification of fix effectiveness.
Same technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-378j-3jfj-8r9f