2451851 – (CVE-2026-32284) CVE-2026-32284 github.com/shamaton/msgpack: msgpack: Denial of Service via truncated fixext data

Bug 2451851 (CVE-2026-32284) - CVE-2026-32284 github.com/shamaton/msgpack: msgpack: Denial of Service via truncated fixext data

Summary: CVE-2026-32284 github.com/shamaton/msgpack: msgpack: Denial of Service via tr...

Keywords:
Status:	NEW
Alias:	CVE-2026-32284
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-03-26 20:02 UTC by OSIDB Bzimport
Modified:	2026-03-27 07:19 UTC (History)
CC List:	58 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-03-26 20:02:41 UTC

The msgpack decoder fails to properly validate the input buffer length when processing truncated fixext data (format codes 0xd4-0xd8). This can lead to an out-of-bounds read and a runtime panic, allowing a denial of service attack.

Note You need to log in before you can comment on or make changes to this bug.

akostadi
alinfoot
amasferr
anthomas
bbrownin
bdettelb
caswilli
derez
dmayorov
doconnor
dschmidt
dtrifiro
ehelms
erezende
ggainey
gotiwari
jcantril
jdobes
jgrulich
jhorak
jkoehler
jlanda
jlledo
juwatts
jvasik
jwong
kaycoth
kgaikwad
kshier
lichen
lphiri
mhulan
mvyas
nmoumoul
omaciel
orabin
osousa
pantinor
pcreech
rblanco
rbryant
rchan
rojacob
simaishi
smallamp
smcdonal
stcannon
teagle
tmalecek
tpopela
tsedmik
ttakamiy
vmugicag
weaton
xialiu
xiaoxwan
yguenane
zzhou