CVE-2026-33524 - Vulnerability Details

- Zserio: Integer Overflow in BitStreamReader and Unbounded Memory Allocation in Deserialization

Description

Zserio is a framework for serializing structured data with a compact and efficient way with low overhead. Prior to 2.18.1, a crafted payload as small as 4-5 bytes can force memory allocations of up to 16 GB, crashing any process with an OOM error (Denial of Service). This vulnerability is fixed in 2.18.1.

Published: 2026-04-24

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An integer overflow in Zserio's BitStreamReader allows an attacker to craft a 4‑to‑5‑byte payload that triggers an unbounded memory allocation during deserialization. The resulting 16 GB allocation causes the host process to crash with an out‑of‑memory error, denying availability. This flaw falls under CWE‑789 (Uncontrolled Memory Allocation).

Affected Systems

The vulnerability affects all versions of Zserio released before 2.18.1. The framework is distributed by ndsev under the Zserio project. No specific sub‑versions are listed, so any install older than 2.18.1 is potentially impacted.

Risk and Exploitability

The CVSS score of 7.5 reflects a high severity for denial of service. The EPSS score of less than 1% indicates that the probability of exploitation at this time is very low, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires that the attacker can supply the crafted payload to the BitStreamReader, which occurs when a process deserializes data from an untrusted source. The attack vector is therefore inferred to be remote or local depending on how the library is used; if the framework is exposed over a network service, the flaw can be triggered remotely.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

ndsev

zserio

affected

Version	Status	Constraints
`< 2.18.1`	affected	—

Configuration 1 [-]

cpe:2.3:a:nds-association:zserio:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Ndsev

Zserio

100%

Version	Status	Scheme	Platform
`[0,2.18.1)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Zserio to version 2.18.1 or later to apply the official fix
Restrict deserialization to trusted data sources and implement additional size checks on incoming data to prevent large allocations
Monitor application memory usage and configure OOM killer thresholds or employ containers with memory limits to mitigate service disruption

Generated by OpenCVE AI on April 28, 2026 at 20:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-cwq5-8pvq-j65j	Zserio Runtime: Integer Overflow in BitStreamReader and Unbounded Memory Allocation in Deserialization

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00055.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/ndsev/zserio/security/advisories/GHSA-cwq5-8pvq-j65j

History

Tue, 28 Apr 2026 18:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Nds-association Nds-association zserio
CPEs		cpe:2.3:a:nds-association:zserio::::::::
Vendors & Products		Nds-association Nds-association zserio

Tue, 28 Apr 2026 09:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Ndsev Ndsev zserio
Vendors & Products		Ndsev Ndsev zserio

Mon, 27 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 24 Apr 2026 18:30:00 +0000

Type	Values Removed	Values Added
Description		Zserio is a framework for serializing structured data with a compact and efficient way with low overhead. Prior to 2.18.1, a crafted payload as small as 4-5 bytes can force memory allocations of up to 16 GB, crashing any process with an OOM error (Denial of Service). This vulnerability is fixed in 2.18.1.
Title		Zserio: Integer Overflow in BitStreamReader and Unbounded Memory Allocation in Deserialization
Weaknesses		CWE-789
References		https://github.com/ndsev/zserio/security/advisories/GHSA-cwq5-8pvq-j65j
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Nds-association Zserio

Ndsev Zserio

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-24T18:18:02.913Z

Updated: 2026-04-27T13:35:28.660Z

Reserved: 2026-03-20T18:05:11.829Z

Link: CVE-2026-33524

Vulnrichment

Updated: 2026-04-27T13:20:22.417Z

NVD

Status : Analyzed

Published: 2026-04-24T19:17:09.850

Modified: 2026-04-28T18:33:01.667

Link: CVE-2026-33524

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T20:15:26Z

Weaknesses

CWE-789

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object