{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32284", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2026-03-11T16:38:46.556Z", "datePublished": "2026-03-26T19:40:51.686Z", "dateUpdated": "2026-03-26T19:40:51.686Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2026-03-26T19:40:51.686Z"}, "title": "Denial of service in github.com/shamaton/msgpack", "descriptions": [{"lang": "en", "value": "The msgpack decoder fails to properly validate the input buffer length when processing truncated fixext data (format codes 0xd4-0xd8). This can lead to an out-of-bounds read and a runtime panic, allowing a denial of service attack."}], "affected": [{"vendor": "github.com/shamaton/msgpack", "product": "github.com/shamaton/msgpack", "collectionURL": "https://pkg.go.dev", "packageName": "github.com/shamaton/msgpack", "programRoutines": [{"name": "Unmarshal"}, {"name": "UnmarshalAsMap"}, {"name": "UnmarshalAsArray"}, {"name": "DecodeStructAsArray"}, {"name": "DecodeStructAsMap"}], "defaultStatus": "affected"}, {"vendor": "github.com/shamaton/msgpack/v2", "product": "github.com/shamaton/msgpack/v2", "collectionURL": "https://pkg.go.dev", "packageName": "github.com/shamaton/msgpack/v2", "programRoutines": [{"name": "Unmarshal"}, {"name": "UnmarshalAsMap"}, {"name": "UnmarshalAsArray"}], "defaultStatus": "affected"}, {"vendor": "github.com/shamaton/msgpack/v3", "product": "github.com/shamaton/msgpack/v3", "collectionURL": "https://pkg.go.dev", "packageName": "github.com/shamaton/msgpack/v3", "programRoutines": [{"name": "Unmarshal"}, {"name": "UnmarshalAsMap"}, {"name": "UnmarshalAsArray"}], "defaultStatus": "affected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-125: Out-of-bounds Read"}]}], "references": [{"url": "https://github.com/shamaton/msgpack/issues/59"}, {"url": "https://github.com/golang/vulndb/issues/4513"}, {"url": "https://pkg.go.dev/vuln/GO-2026-4513"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The msgpack decoder fails to properly validate the input buffer length when processing truncated fixext data (format codes 0xd4-0xd8). This can lead to an out-of-bounds read and a runtime panic, allowing a denial of service attack."}], "id": "CVE-2026-32284", "lastModified": "2026-03-26T20:16:12.087", "metrics": {}, "published": "2026-03-26T20:16:12.087", "references": [{"source": "security@golang.org", "url": "https://github.com/golang/vulndb/issues/4513"}, {"source": "security@golang.org", "url": "https://github.com/shamaton/msgpack/issues/59"}, {"source": "security@golang.org", "url": "https://pkg.go.dev/vuln/GO-2026-4513"}], "sourceIdentifier": "security@golang.org", "vulnStatus": "Received"}

{}

{}