CVE-2026-35480 - Vulnerability Details

- go-ipld-prime's DAG-CBOR decoder unbounded memory allocation from CBOR headers

Description

go-ipld-prime is an implementation of the InterPlanetary Linked Data (IPLD) spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Prior to 0.22.0, the DAG-CBOR decoder uses collection sizes declared in CBOR headers as Go preallocation hints for maps and lists. The decoder does not cap these size hints or account for their cost in its allocation budget, allowing small payloads to cause excessive memory allocation. This vulnerability is fixed in 0.22.0.

Published: 2026-04-07

Score: 6.2 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability in the DAG-CBOR decoder allows an attacker to cause an unbounded memory allocation by embedding large collection size hints in CBOR headers. The decoder does not cap these hints, so a crafted payload can trigger the application to allocate memory far beyond normal limits, leading to crashes or severe performance degradation. This is a memory allocation overflow with potential to deny service.

Affected Systems

go-ipld-prime, a Go implementation of IPLD for CBOR, before version 0.22.0. Any application using this library and processing CBOR input falls under the risk.

Risk and Exploitability

The CVSS score is 6.2 indicating moderate severity, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to supply a CBOR payload, so any exposed service or component that decodes CBOR could be targeted. The lack of EPSS data prevents a precise risk estimate, but the potential for resource exhaustion suggests that the risk remains significant for systems with untrusted CBOR input.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

ipld

go-ipld-prime

affected

Version	Status	Constraints
`< 0.22.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:protocol:go-ipld-prime:*:*:*:*:*:go:*:*

No data.

Vendor Product Confidence Versions

Ipld

Go-ipld-prime

100%

Version	Status	Scheme	Platform
`[0,0.22.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update go-ipld-prime to version 0.22.0 or later, which corrects the parser allocation logic.
If an upgrade is not immediately feasible, restrict the size of CBOR messages accepted by the application or validate payload size before decoding.
Monitor system memory usage and set appropriate limits or cgroups to contain potential memory exhaustion attacks.

Generated by OpenCVE AI on April 7, 2026 at 19:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-378j-3jfj-8r9f	go-ipld-prime: DAG-CBOR decoder unbounded memory allocation from CBOR headers

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00019.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/ipld/go-ipld-prime/security/advisories/GHSA-378j-3jfj-8r9f

History

Fri, 17 Apr 2026 20:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Protocol Protocol go-ipld-prime
CPEs		cpe:2.3:a:protocol:go-ipld-prime::::::go::*
Vendors & Products		Protocol Protocol go-ipld-prime

Thu, 09 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 09 Apr 2026 08:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Ipld Ipld go-ipld-prime
Vendors & Products		Ipld Ipld go-ipld-prime

Tue, 07 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
Description		go-ipld-prime is an implementation of the InterPlanetary Linked Data (IPLD) spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Prior to 0.22.0, the DAG-CBOR decoder uses collection sizes declared in CBOR headers as Go preallocation hints for maps and lists. The decoder does not cap these size hints or account for their cost in its allocation budget, allowing small payloads to cause excessive memory allocation. This vulnerability is fixed in 0.22.0.
Title		go-ipld-prime's DAG-CBOR decoder unbounded memory allocation from CBOR headers
Weaknesses		CWE-770
References		https://github.com/ipld/go-ipld-prime/security/advisories/GHSA-378j-3jfj-8r9f
Metrics		cvssV3_1 `{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Ipld Go-ipld-prime

Protocol Go-ipld-prime

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-07T14:43:24.781Z

Updated: 2026-04-09T14:40:11.103Z

Reserved: 2026-04-02T20:49:44.453Z

Link: CVE-2026-35480

Vulnrichment

Updated: 2026-04-09T14:40:07.398Z

NVD

Status : Analyzed

Published: 2026-04-07T15:17:45.117

Modified: 2026-04-17T19:45:58.103

Link: CVE-2026-35480

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-09T08:24:20Z

Weaknesses

CWE-770

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object