CVE-2026-32284
Out-of-Bounds Read in msgpack Decoder Causes DoS
Publication date: 2026-03-26
Last updated on: 2026-03-30
Assigner: Go Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| shamaton | msgpack | v2.4.0 |
| shamaton | msgpack | v3.1.0 |
| shamaton | msgpack | v2 |
| shamaton | msgpack | v3 |
| golang | go | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not include any details about the impact of CVE-2026-32284 on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-32284 is a vulnerability in the Go packages github.com/shamaton/msgpack/v2 and v3, where the msgpack decoder fails to properly validate the input buffer length when processing truncated fixext data (format codes 0xd4 to 0xd8).
Specifically, the function ReadSize1 attempts to read the second byte of a buffer without checking if the buffer is long enough, which can cause an out-of-bounds read and trigger a runtime panic.
This panic occurs when malformed or truncated fixext input is processed, leading to an uncontrolled crash of the decoding process.
How can this vulnerability impact me? :
This vulnerability can cause a denial of service (DoS) condition by crashing any service that processes MessagePack data using the affected shamaton/msgpack library versions.
An attacker can trigger this by sending a single malformed or truncated fixext payload, causing the decoder to panic and the application to crash.
No authentication is required to exploit this vulnerability, and it can be triggered remotely if the service accepts untrusted MessagePack input.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for runtime panics caused by out-of-bounds reads in applications using the affected shamaton/msgpack library versions (v2.4.0 and v3.1.0). Specifically, look for panic messages similar to "runtime error: index out of range [1] with length 1" related to the ext/time decoder.
Since the vulnerability is triggered by malformed MessagePack fixext data (format bytes 0xd4 to 0xd8) with truncated payloads, you can detect attempts by inspecting network traffic for such malformed MessagePack payloads.
Suggested commands include:
- Use application logs or monitoring tools to search for panic stack traces containing 'ext/decode.go:33' or 'runtime error: index out of range'.
- Capture network traffic with tools like tcpdump or Wireshark and filter for packets containing MessagePack fixext format bytes (0xd4 to 0xd8) with unusually short payloads.
- Example tcpdump command to capture traffic on port 80 containing the byte 0xd6 (a minimal crashing input): tcpdump -i any -s 0 -w capture.pcap 'tcp port 80 and (tcp[((tcp[12]&0xf0)>>2):1] = 0xd6)'
- Use fuzz testing or input validation tools on your MessagePack processing endpoints to detect if malformed fixext data causes crashes.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Avoid processing untrusted or malformed MessagePack fixext data (format codes 0xd4 to 0xd8) until a patch or fix is available.
- Implement input validation or filtering at the network or application layer to block or reject truncated fixext payloads that could trigger the panic.
- Monitor application logs for panic events and restart affected services promptly to maintain availability.
- Consider applying custom patches or code changes to add bounds checking in the ReadSize1 function before accessing buffer indices, as suggested in the vulnerability details.
- If possible, isolate or sandbox services using the vulnerable libraries to limit the impact of denial-of-service attacks.