Skip to main content

Zserio

1 CVEs product

Monthly

CVE-2026-33666 HIGH This Week

Integer overflow in Zserio serialization framework versions before 2.18.1 enables remote denial of service via network-accessible deserialization endpoints. Attackers can send crafted serialized data that triggers arithmetic overflow in BitStreamReader's setBitPosition() bounds check, causing the parser to read 512 MB from a buffer only a few bytes long and crash the process with segmentation fault. EPSS data not available, no active exploitation confirmed, but remote unauthenticated attack vector (CVSS AV:N/PR:N) makes this immediately exploitable against any application accepting untrusted Zserio-serialized input over network interfaces.

Buffer Overflow Integer Overflow Zserio
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
EPSS 0% CVSS 7.5
HIGH This Week

Integer overflow in Zserio serialization framework versions before 2.18.1 enables remote denial of service via network-accessible deserialization endpoints. Attackers can send crafted serialized data that triggers arithmetic overflow in BitStreamReader's setBitPosition() bounds check, causing the parser to read 512 MB from a buffer only a few bytes long and crash the process with segmentation fault. EPSS data not available, no active exploitation confirmed, but remote unauthenticated attack vector (CVSS AV:N/PR:N) makes this immediately exploitable against any application accepting untrusted Zserio-serialized input over network interfaces.

Buffer Overflow Integer Overflow Zserio
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy