CVE-2026-32284

Denial of service in github.com/shamaton/msgpack

CVSS 7.5 HIGHEPSS 0.4%

The msgpack decoder fails to properly validate the input buffer length when processing truncated fixext data (format codes 0xd4-0xd8). This can lead to an out-of-bounds read and a runtime panic, allowing a denial of service attack.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Produtos afetados

github.com/shamaton/msgpack · github.com/shamaton/msgpack github.com/shamaton/msgpack/v2 · github.com/shamaton/msgpack/v2 github.com/shamaton/msgpack/v3 · github.com/shamaton/msgpack/v3

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://github.com/golang/vulndb/issues/4513 https://github.com/shamaton/msgpack/issues/59 https://pkg.go.dev/vuln/GO-2026-4513 https://securityinfinity.com/research/shamaton-msgpack-oob-panic-fixext-dos-2026