CVE-2026-35480
Received Received - Intake

Excessive Memory Allocation in go-ipld-prime DAG-CBOR Decoder

Vulnerability report for CVE-2026-35480, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-07

Last updated on: 2026-04-17

Assigner: GitHub, Inc.

Description

go-ipld-prime is an implementation of the InterPlanetary Linked Data (IPLD) spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Prior to 0.22.0, the DAG-CBOR decoder uses collection sizes declared in CBOR headers as Go preallocation hints for maps and lists. The decoder does not cap these size hints or account for their cost in its allocation budget, allowing small payloads to cause excessive memory allocation. This vulnerability is fixed in 0.22.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-07
Last Modified
2026-04-17
Generated
2026-07-06
AI Q&A
2026-04-07
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
protocol go-ipld-prime to 0.22.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability exists in the DAG-CBOR decoder of the Go package go-ipld-prime versions prior to 0.22.0. The decoder uses collection sizes declared in CBOR headers as preallocation hints for Go maps and lists without limiting these sizes or accounting for their memory cost. This allows an attacker to craft small CBOR payloads with headers that declare very large collection sizes, causing the decoder to preallocate excessively large amounts of memory before processing any entries.

Because the allocation budget is only reduced as entries are decoded and not when sizes are declared, these large preallocations bypass the budget system. Nested structures worsen the problem, as each nested level triggers its own unchecked preallocation while consuming minimal budget. For example, a payload under 100 bytes with 10 levels of nesting can cause over 9GB of memory allocation.

The vulnerability is fixed in version 0.22.0 by capping the preallocation size hint to 1024 entries and decrementing the allocation budget when collection sizes are declared, preventing excessive memory allocation.

Impact Analysis

This vulnerability can lead to excessive memory allocation when processing specially crafted CBOR payloads, potentially causing denial of service (DoS) by exhausting system memory resources.

Because the decoder preallocates large amounts of memory based on unchecked size hints, an attacker can cause the affected application to consume excessive memory, degrade performance, or crash, impacting availability.

Detection Guidance

This vulnerability arises from the DAG-CBOR decoder in go-ipld-prime versions prior to 0.22.0, which preallocates memory based on declared collection sizes in CBOR headers without limits. Detection involves identifying usage of vulnerable go-ipld-prime versions and monitoring for unusually high memory allocations triggered by CBOR payloads with large or deeply nested collection size declarations.

Since the vulnerability is triggered by crafted CBOR payloads causing excessive memory allocation, detection can include monitoring application logs and system metrics for spikes in memory usage when processing CBOR data.

Specific commands to detect this vulnerability are not provided in the available resources.

Mitigation Strategies

The primary mitigation step is to upgrade the go-ipld-prime package to version 0.22.0 or later, where the vulnerability is fixed by capping preallocation size hints to 1024 entries and properly decrementing the allocation budget when collection sizes are declared.

Until the upgrade can be applied, consider limiting or validating CBOR payloads to prevent deeply nested or large collection size declarations that could trigger excessive memory allocation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35480. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart