Skip to main content

Zserio EUVDEUVD-2026-25593

| CVE-2026-33666 HIGH
Integer Overflow or Wraparound (CWE-190)
2026-04-24 GitHub_M
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Re-analysis Queued
Apr 24, 2026 - 19:22 vuln.today
cvss_changed
Analysis Generated
Apr 24, 2026 - 19:00 vuln.today
EUVD ID Assigned
Apr 24, 2026 - 18:45 euvd
EUVD-2026-25593
Analysis Generated
Apr 24, 2026 - 18:45 vuln.today
CVE Published
Apr 24, 2026 - 18:21 nvd
HIGH 7.5

DescriptionGitHub Advisory

Zserio is a framework for serializing structured data with a compact and efficient way with low overhead. Prior to 2.18.1, in BitStreamReader.h readBytes() / readString(), the setBitPosition() bounds check receives the overflowed value and is completely bypassed. The code then reads len bytes (512 MB) from a buffer that is only a few bytes long, causing a segmentation fault. This vulnerability is fixed in 2.18.1.

AnalysisAI

Integer overflow in Zserio serialization framework versions before 2.18.1 enables remote denial of service via network-accessible deserialization endpoints. Attackers can send crafted serialized data that triggers arithmetic overflow in BitStreamReader's setBitPosition() bounds check, causing the parser to read 512 MB from a buffer only a few bytes long and crash the process with segmentation fault. EPSS data not available, no active exploitation confirmed, but remote unauthenticated attack vector (CVSS AV:N/PR:N) makes this immediately exploitable against any application accepting untrusted Zserio-serialized input over network interfaces.

Technical ContextAI

Zserio is a serialization framework (similar to Protocol Buffers or Apache Thrift) designed for compact binary encoding with low overhead. The vulnerability exists in BitStreamReader.h's readBytes() and readString() methods, which handle deserialization of byte arrays and strings from the binary stream. These methods use setBitPosition() to validate buffer boundaries before reading. The CWE-190 integer overflow occurs when calculating bit positions - the arithmetic overflows, wrapping to a small value that bypasses the bounds check. The code then attempts to read the original large length value (up to 512 MB according to the description) from a buffer that may only contain a few bytes, causing memory access violations. This is a classic example of TOCTOU (time-of-check-time-of-use) failure where the checked value differs from the used value due to integer wraparound.

RemediationAI

Upgrade to Zserio version 2.18.1 or later, which includes the fix for the integer overflow in BitStreamReader bounds checking. The patch is available through the Ndsev GitHub repository (https://github.com/ndsev/zserio). If immediate upgrade is not feasible, implement compensating controls by restricting deserialization endpoints to accept Zserio input only from authenticated and trusted sources - specifically, remove network exposure of any API endpoints accepting raw Zserio binary data from the internet or untrusted networks. Additional defense-in-depth: deploy resource limits (memory caps, request size limits) in application containers to contain denial-of-service impact from segmentation faults, though this does not prevent the crash itself. Validate Zserio schema definitions to minimize use of unbounded byte arrays or strings where fixed-size alternatives suffice. Monitor application crash logs for segmentation faults in BitStreamReader code paths as potential exploitation indicators. No workaround fully mitigates the vulnerability without upgrading.

Share

EUVD-2026-25593 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy