CVE-2026-33666 - Vulnerability Details

- Zserio: Integer Overflow in BitStreamReader on 32-bit platforms

Description

Zserio is a framework for serializing structured data with a compact and efficient way with low overhead. Prior to 2.18.1, in BitStreamReader.h readBytes() / readString(), the setBitPosition() bounds check receives the overflowed value and is completely bypassed. The code then reads len bytes (512 MB) from a buffer that is only a few bytes long, causing a segmentation fault. This vulnerability is fixed in 2.18.1.

Published: 2026-04-24

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Zserio’s BitStreamReader functions readBytes() and readString() perform a bounds check on the number of bytes to read. On 32‑bit platforms the length calculation overflows, causing the check to be bypassed. The code then attempts to read an overflowed 512 MB of data from a buffer that is only a few bytes, resulting in a segmentation fault. The vulnerability does not allow arbitrary code execution or privilege escalation, but any process that uses the vulnerable Zserio library will be vulnerable to a crash that may lead to service disruption.

Affected Systems

All installations of the Zserio serialization framework from the ndsev repository running a version prior to 2.18.1 are affected. No specific distribution or build is listed, so any build that includes BitStreamReader.h without the patch is vulnerable.

Risk and Exploitability

The CVSS score of 7.5 indicates a high impact if exploited. The EPSS score of less than 1 % suggests modest likelihood of exploitation, which is unsurprising given the local‑only nature of the flaw. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker who can supply crafted serialized data to the vulnerable application; the resulting crash can be leveraged to cause a denial of service. Based on the description, the likely attack vector is local, with an adversary injecting malicious input into an application that uses Zserio.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

ndsev

zserio

affected

Version	Status	Constraints
`<= 2.15.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:nds-association:zserio:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Ndsev

Zserio

100%

Version	Status	Scheme	Platform
`[0,2.15.0]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Zserio to version 2.18.1 or newer, which contains the bounds‑check fix for BitStreamReader.
Validate or sanitize any data that will be passed to Zserio’s readBytes() or readString() to ensure the length does not exceed the available buffer size.
Configure monitoring to detect segmentation faults and automatically restart the affected service, or run the application in a sandboxed environment to contain crashes.

Generated by OpenCVE AI on April 28, 2026 at 13:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00328.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/ndsev/zserio/security/advisories/GHSA-fjwv-6wcr-vqwj

History

Tue, 28 Apr 2026 18:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Nds-association Nds-association zserio
CPEs		cpe:2.3:a:nds-association:zserio::::::::
Vendors & Products		Nds-association Nds-association zserio

Mon, 27 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Ndsev Ndsev zserio
Vendors & Products		Ndsev Ndsev zserio

Mon, 27 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 24 Apr 2026 18:30:00 +0000

Type	Values Removed	Values Added
Description		Zserio is a framework for serializing structured data with a compact and efficient way with low overhead. Prior to 2.18.1, in BitStreamReader.h readBytes() / readString(), the setBitPosition() bounds check receives the overflowed value and is completely bypassed. The code then reads len bytes (512 MB) from a buffer that is only a few bytes long, causing a segmentation fault. This vulnerability is fixed in 2.18.1.
Title		Zserio: Integer Overflow in BitStreamReader on 32-bit platforms
Weaknesses		CWE-190
References		https://github.com/ndsev/zserio/security/advisories/GHSA-fjwv-6wcr-vqwj
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Nds-association Zserio

Ndsev Zserio

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-24T18:21:11.265Z

Updated: 2026-04-27T13:46:01.833Z

Reserved: 2026-03-23T15:23:42.220Z

Link: CVE-2026-33666

Vulnrichment

Updated: 2026-04-27T13:45:47.937Z

NVD

Status : Analyzed

Published: 2026-04-24T19:17:10.147

Modified: 2026-06-17T10:37:53.463

Link: CVE-2026-33666

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T13:45:06Z

Weaknesses

CWE-190
Integer Overflow or Wraparound

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object