CVE-2026-35480
Received Received - Intake
Excessive Memory Allocation in go-ipld-prime DAG-CBOR Decoder

Publication date: 2026-04-07

Last updated on: 2026-04-17

Assigner: GitHub, Inc.

Description
go-ipld-prime is an implementation of the InterPlanetary Linked Data (IPLD) spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Prior to 0.22.0, the DAG-CBOR decoder uses collection sizes declared in CBOR headers as Go preallocation hints for maps and lists. The decoder does not cap these size hints or account for their cost in its allocation budget, allowing small payloads to cause excessive memory allocation. This vulnerability is fixed in 0.22.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-07
Last Modified
2026-04-17
Generated
2026-06-16
AI Q&A
2026-04-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35480
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
protocol go-ipld-prime to 0.22.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the DAG-CBOR decoder of the Go package go-ipld-prime versions prior to 0.22.0. The decoder uses collection sizes declared in CBOR headers as preallocation hints for Go maps and lists without limiting these sizes or accounting for their memory cost. This allows an attacker to craft small CBOR payloads with headers that declare very large collection sizes, causing the decoder to preallocate excessively large amounts of memory before processing any entries.

Because the allocation budget is only reduced as entries are decoded and not when sizes are declared, these large preallocations bypass the budget system. Nested structures worsen the problem, as each nested level triggers its own unchecked preallocation while consuming minimal budget. For example, a payload under 100 bytes with 10 levels of nesting can cause over 9GB of memory allocation.

The vulnerability is fixed in version 0.22.0 by capping the preallocation size hint to 1024 entries and decrementing the allocation budget when collection sizes are declared, preventing excessive memory allocation.

Impact Analysis

This vulnerability can lead to excessive memory allocation when processing specially crafted CBOR payloads, potentially causing denial of service (DoS) by exhausting system memory resources.

Because the decoder preallocates large amounts of memory based on unchecked size hints, an attacker can cause the affected application to consume excessive memory, degrade performance, or crash, impacting availability.

Detection Guidance

This vulnerability arises from the DAG-CBOR decoder in go-ipld-prime versions prior to 0.22.0, which preallocates memory based on declared collection sizes in CBOR headers without limits. Detection involves identifying usage of vulnerable go-ipld-prime versions and monitoring for unusually high memory allocations triggered by CBOR payloads with large or deeply nested collection size declarations.

Since the vulnerability is triggered by crafted CBOR payloads causing excessive memory allocation, detection can include monitoring application logs and system metrics for spikes in memory usage when processing CBOR data.

Specific commands to detect this vulnerability are not provided in the available resources.

Mitigation Strategies

The primary mitigation step is to upgrade the go-ipld-prime package to version 0.22.0 or later, where the vulnerability is fixed by capping preallocation size hints to 1024 entries and properly decrementing the allocation budget when collection sizes are declared.

Until the upgrade can be applied, consider limiting or validating CBOR payloads to prevent deeply nested or large collection size declarations that could trigger excessive memory allocation.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35480. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart