CVE-2026-35480
Excessive Memory Allocation in go-ipld-prime DAG-CBOR Decoder
Publication date: 2026-04-07
Last updated on: 2026-04-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| protocol | go-ipld-prime | to 0.22.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the DAG-CBOR decoder of the Go package go-ipld-prime versions prior to 0.22.0. The decoder uses collection sizes declared in CBOR headers as preallocation hints for Go maps and lists without limiting these sizes or accounting for their memory cost. This allows an attacker to craft small CBOR payloads with headers that declare very large collection sizes, causing the decoder to preallocate excessively large amounts of memory before processing any entries.
Because the allocation budget is only reduced as entries are decoded and not when sizes are declared, these large preallocations bypass the budget system. Nested structures worsen the problem, as each nested level triggers its own unchecked preallocation while consuming minimal budget. For example, a payload under 100 bytes with 10 levels of nesting can cause over 9GB of memory allocation.
The vulnerability is fixed in version 0.22.0 by capping the preallocation size hint to 1024 entries and decrementing the allocation budget when collection sizes are declared, preventing excessive memory allocation.
How can this vulnerability impact me? :
This vulnerability can lead to excessive memory allocation when processing specially crafted CBOR payloads, potentially causing denial of service (DoS) by exhausting system memory resources.
Because the decoder preallocates large amounts of memory based on unchecked size hints, an attacker can cause the affected application to consume excessive memory, degrade performance, or crash, impacting availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises from the DAG-CBOR decoder in go-ipld-prime versions prior to 0.22.0, which preallocates memory based on declared collection sizes in CBOR headers without limits. Detection involves identifying usage of vulnerable go-ipld-prime versions and monitoring for unusually high memory allocations triggered by CBOR payloads with large or deeply nested collection size declarations.
Since the vulnerability is triggered by crafted CBOR payloads causing excessive memory allocation, detection can include monitoring application logs and system metrics for spikes in memory usage when processing CBOR data.
Specific commands to detect this vulnerability are not provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the go-ipld-prime package to version 0.22.0 or later, where the vulnerability is fixed by capping preallocation size hints to 1024 entries and properly decrementing the allocation budget when collection sizes are declared.
Until the upgrade can be applied, consider limiting or validating CBOR payloads to prevent deeply nested or large collection size declarations that could trigger excessive memory allocation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.