Description
The Delete function fails to properly validate offsets when processing malformed JSON input. This can lead to a negative slice index and a runtime panic, allowing a denial of service attack.
Published: 2026-03-26
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Update Library
AI Analysis

Impact

The Delete function in buger/jsonparser fails to properly validate offsets when parsing malformed JSON input, which can result in a negative slice index and trigger a runtime panic. This crash leads to an application denial of service, disrupting normal operation without providing any additional access or persistent impact to the system.

Affected Systems

The vulnerable component is the buger/jsonparser library used in Go applications that parse JSON data. All versions in use before the issue is addressed are potentially affected; the vulnerability is reported in the library’s public repository and does not reference a specific version, so any deployment that relies on this package should be considered at risk.

Risk and Exploitability

The attack vector is likely remote via crafted JSON payloads sent to an application that employs the Delete function, which does not apply bounds checks on the offsets. While the exploit requires sending malformed input rather than advanced privilege escalation, the resulting crash can cause significant downtime. The vulnerability is not currently listed in the CISA KEV catalog and no EPSS score is available, suggesting that coverage may be limited but the risk remains high due to the ease of triggering the panic.

Generated by OpenCVE AI on March 26, 2026 at 21:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched release of buger/jsonparser once the maintainers publish a fix or apply the confirmed code changes from the issue discussion.
  • Validate and sanitize all JSON inputs before hand before passing them to Delete to prevent malformed data from triggering the panic.
  • Implement application health monitoring and restart mechanisms, such as a process supervisor or watchdog, to recover quickly from unhandled panics.

Generated by OpenCVE AI on March 26, 2026 at 21:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 09:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Buger
Buger jsonparser
Vendors & Products Buger
Buger jsonparser

Thu, 26 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Description The Delete function fails to properly validate offsets when processing malformed JSON input. This can lead to a negative slice index and a runtime panic, allowing a denial of service attack.
Title Denial of service in github.com/buger/jsonparser
References

Subscriptions

Buger Jsonparser
cve-icon MITRE

Status: PUBLISHED

Assigner: Go

Published:

Updated: 2026-03-26T19:40:51.837Z

Reserved: 2026-03-11T16:38:46.556Z

Link: CVE-2026-32285

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-26T20:16:12.197

Modified: 2026-03-26T20:16:12.197

Link: CVE-2026-32285

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:25:23Z

Weaknesses