CVE-2026-21452
Unknown Unknown - Not Provided
Unbounded Memory Allocation DoS in MessagePack-Java Deserialization

Publication date: 2026-01-02

Last updated on: 2026-02-05

Assigner: GitHub, Inc.

Description
MessagePack for Java is a serializer implementation for Java. A denial-of-service vulnerability exists in versions prior to 0.9.11 when deserializing .msgpack files containing EXT32 objects with attacker-controlled payload lengths. While MessagePack-Java parses extension headers lazily, it later trusts the declared EXT payload length when materializing the extension data. When ExtensionValue.getData() is invoked, the library attempts to allocate a byte array of the declared length without enforcing any upper bound. A malicious .msgpack file of only a few bytes can therefore trigger unbounded heap allocation, resulting in JVM heap exhaustion, process termination, or service unavailability. This vulnerability is triggered during model loading / deserialization, making it a model format vulnerability suitable for remote exploitation. The vulnerability enables a remote denial-of-service attack against applications that deserialize untrusted .msgpack model files using MessagePack for Java. A specially crafted but syntactically valid .msgpack file containing an EXT32 object with an attacker-controlled, excessively large payload length can trigger unbounded memory allocation during deserialization. When the model file is loaded, the library trusts the declared length metadata and attempts to allocate a byte array of that size, leading to rapid heap exhaustion, excessive garbage collection, or immediate JVM termination with an OutOfMemoryError. The attack requires no malformed bytes, user interaction, or elevated privileges and can be exploited remotely in real-world environments such as model registries, inference services, CI/CD pipelines, and cloud-based model hosting platforms that accept or fetch .msgpack artifacts. Because the malicious file is extremely small yet valid, it can bypass basic validation and scanning mechanisms, resulting in complete service unavailability and potential cascading failures in production systems. Version 0.9.11 fixes the vulnerability.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-02
Last Modified
2026-02-05
Generated
2026-05-07
AI Q&A
2026-01-03
EPSS Evaluated
2026-05-05
NVD
CVE-2026-21452
EUVD
EUVD-2026-0750
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
msgpack msgpack-java to 0.9.11 (exc)
msgpack messagepack 0.9.10
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
CWE-789 The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided resources and context do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.


Can you explain this vulnerability to me?

This vulnerability exists in the MessagePack for Java library versions prior to 0.9.11 during deserialization of .msgpack files containing EXT32 objects. The library lazily parses extension headers but trusts the declared payload length when materializing extension data. When ExtensionValue.getData() is called, it attempts to allocate a byte array of the declared length without any upper bound. An attacker can craft a malicious .msgpack file with an EXT32 object specifying an excessively large payload length but containing minimal actual data. This causes unbounded heap memory allocation, leading to JVM heap exhaustion, process termination, or service unavailability. The attack requires no privileges or user interaction and can be exploited remotely in environments that deserialize untrusted .msgpack files. The vulnerability was fixed in version 0.9.11 by implementing gradual memory allocation and validating data availability before allocation. [3, 1]


How can this vulnerability impact me? :

This vulnerability can cause a remote denial-of-service (DoS) attack against applications using vulnerable versions of MessagePack for Java to deserialize untrusted .msgpack files. An attacker can trigger unbounded memory allocation leading to JVM heap exhaustion, excessive garbage collection, or immediate process termination with an OutOfMemoryError. This results in complete service unavailability and potential cascading failures in production systems such as model registries, inference services, CI/CD pipelines, and cloud-based model hosting platforms. The attack requires no user interaction or privileges and can be performed remotely. [3, 1]


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, immediately upgrade the msgpack-java library to version 0.9.11 or later, which includes a fix implementing gradual memory allocation for large payloads to prevent unbounded heap allocation. Avoid deserializing untrusted .msgpack files containing EXT32 objects with large payload lengths. Additionally, apply any relevant dependency updates included in the v0.9.11 release to ensure overall security improvements. [1, 2, 3]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart