Description
The msgpack decoder fails to properly validate the input buffer length when processing truncated fixext data (format codes 0xd4-0xd8). This can lead to an out-of-bounds read and a runtime panic, allowing a denial of service attack.
Published: 2026-03-26
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The msgpack decoder in shamaton/msgpack fails to validate the input buffer length when processing truncated fixext data (format codes 0xd4‑0xd8). This leads to an out‑of‑bounds read (CWE‑125) that triggers a runtime panic, resulting in a denial of service. The vulnerability also represents a buffer overread (CWE‑805), allowing an attacker to disrupt services by supplying malformed MsgPack payloads.

Affected Systems

Affected products include shamaton/msgpack v2, shamaton/msgpack v3, and the core shamaton/msgpack repository. No specific version numbers are enumerated in the CNA data, so all releases that contain the vulnerable decoder must be considered potentially impacted until a fix is released.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, while the EPSS value of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is supplying crafted MsgPack data to the vulnerable decoder; based on the description, it is inferred that this could be done via public network interfaces or third‑party integrations. Once triggered, the panic causes the process to terminate, leading to a denial of service for affected systems.

Generated by OpenCVE AI on June 3, 2026 at 15:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade shamaton/msgpack to the fixed release once it becomes available.
  • Sandbox or isolate decoding operations to contain potential crashes.
  • Avoid processing untrusted MsgPack data or perform strict input validation before decoding.

Generated by OpenCVE AI on June 3, 2026 at 15:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-h9q6-hc68-35rp Denial of service in github.com/shamaton/msgpack
History

Wed, 03 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
CPEs cpe:2.3:a:shamaton:msgpack:*:*:*:*:*:go:*:*

Mon, 30 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Fri, 27 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-805
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Fri, 27 Mar 2026 09:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Shamaton
Shamaton msgpack
Vendors & Products Shamaton
Shamaton msgpack

Thu, 26 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Description The msgpack decoder fails to properly validate the input buffer length when processing truncated fixext data (format codes 0xd4-0xd8). This can lead to an out-of-bounds read and a runtime panic, allowing a denial of service attack.
Title Denial of service in github.com/shamaton/msgpack
References

Subscriptions

Shamaton Msgpack
cve-icon MITRE

Status: PUBLISHED

Assigner: Go

Published:

Updated: 2026-03-30T14:55:25.762Z

Reserved: 2026-03-11T16:38:46.556Z

Link: CVE-2026-32284

cve-icon Vulnrichment

Updated: 2026-03-30T14:05:06.203Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T20:16:12.087

Modified: 2026-06-17T10:35:29.407

Link: CVE-2026-32284

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-26T19:40:51Z

Links: CVE-2026-32284 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T16:00:16Z

Weaknesses
  • CWE-125

    Out-of-bounds Read

  • CWE-805

    Buffer Access with Incorrect Length Value