HIGHCVE-2026-32284Published 2026-03-26Modified 2026-03-30CNA Go

CVE-2026-32284: Denial of service in github.com/shamaton/msgpack

The msgpack decoder fails to properly validate the input buffer length when processing truncated fixext data (format codes 0xd4-0xd8). This can lead to an out-of-bounds read and a runtime panic, allowing a denial of service attack.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 3

Affected packages

github.com/shamaton/msgpack / github.com/shamaton/msgpack
github.com/shamaton/msgpack/v2 / github.com/shamaton/msgpack/v2
github.com/shamaton/msgpack/v3 / github.com/shamaton/msgpack/v3

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

github.com
github.com
pkg.go.dev

Metrics