Description
The msgpack decoder fails to properly validate the input buffer length when processing truncated fixext data (format codes 0xd4-0xd8). This can lead to an out-of-bounds read and a runtime panic, allowing a denial of service attack.
Published: 2026-03-26
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via runtime panic caused by buffer overread
Action: Patch
AI Analysis

Impact

The msgpack decoder in shamaton/msgpack fails to validate the input buffer length when processing truncated fixext data (format codes 0xd4‑0xd8). This oversight causes an out‑of‑bounds read that triggers a runtime panic, resulting in a denial of service. The vulnerability, identified as a buffer overread (CWE‑805), allows an attacker to disrupt services by supplying malformed MsgPack payloads.

Affected Systems

Affected products include shamaton/msgpack v2, shamaton/msgpack v3, and the core shamaton/msgpack repository. No specific version numbers are enumerated in the CNA data, so all releases that contain the vulnerable decoder must be considered potentially impacted until a fix is released.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, while the EPSS value of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to supply crafted MsgPack data to the vulnerable decoder, which is likely achievable via public network interfaces or third‑party integrations. Once triggered, the panic causes the process to terminate, leading to a denial of service for affected systems.

Generated by OpenCVE AI on March 30, 2026 at 16:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Monitor the shamaton/msgpack GitHub repository for a patch or issue fix.
  • Avoid processing untrusted MsgPack data or isolate decoding operations behind a sandbox or hot‑standby process to contain potential crashes.
  • When an updated version is released, upgrade shamaton/msgpack to the fixed release.

Generated by OpenCVE AI on March 30, 2026 at 16:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-h9q6-hc68-35rp Denial of service in github.com/shamaton/msgpack
History

Mon, 30 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Fri, 27 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-805
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Fri, 27 Mar 2026 09:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Shamaton
Shamaton msgpack
Vendors & Products Shamaton
Shamaton msgpack

Thu, 26 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Description The msgpack decoder fails to properly validate the input buffer length when processing truncated fixext data (format codes 0xd4-0xd8). This can lead to an out-of-bounds read and a runtime panic, allowing a denial of service attack.
Title Denial of service in github.com/shamaton/msgpack
References

Subscriptions

Shamaton Msgpack
cve-icon MITRE

Status: PUBLISHED

Assigner: Go

Published:

Updated: 2026-03-30T14:55:25.762Z

Reserved: 2026-03-11T16:38:46.556Z

Link: CVE-2026-32284

cve-icon Vulnrichment

Updated: 2026-03-30T14:05:06.203Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-26T20:16:12.087

Modified: 2026-03-30T15:16:27.780

Link: CVE-2026-32284

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-26T19:40:51Z

Links: CVE-2026-32284 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:57:34Z

Weaknesses