The msgpack decoder in the shamaton/msgpack Go library fails to validate the length of the input buffer when processing truncated fixed‑extension (fixext) data types, which have format codes 0xd4 through 0xd8. This oversight allows the decoder to read beyond the end of the supplied data, resulting in an out‑of‑bounds memory read. In the Go runtime, the read causes a panic that terminates the process. The vulnerability does not grant any code execution or information disclosure; its primary effect is to bring the host application to an unresponsive state. The weakness is an improper restriction of operations within the bounds of a memory buffer, a classic out‑of‑bounds read condition.

The issue is present in the shamaton/msgpack repository for all tagged releases of the v2 and v3 series, as well as the master branch. The supplied data does not list specific patch versions that fixed the issue, so any installed version of these libraries is potentially vulnerable. Developers using the decoder to process untrusted input data should assume that all versions are affected until a patch is confirmed.

Because the exploit requires only crafted input data to be fed to a decodable message, it can be performed by any external party that can supply malformed payloads to the application. The lack of a defined CVSS score or EPSS value leaves the severity assessment to the analyst, but the potential to crash a service without additional privileges or system-wide impact indicates a moderate risk. The vulnerability is not reported in the CISA KEV catalog, and no revised exploit probability score is available, suggesting that while feasible, it has not yet been widely observed in the wild. Attackers who can control or tamper with the data stream to the library can induce a denial‑of‑service condition with a single request, but cannot achieve code execution or compromise data confidentiality.