CVE-2026-42328
Deferred Deferred - Pending Action

Stack Overflow in go-ipld-prime CBOR Decoder

Vulnerability report for CVE-2026-42328, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-27

Last updated on: 2026-06-01

Assigner: GitHub, Inc.

Description

go-ipld-prime is an implementation of the InterPlanetary Linked Data (IPLD) spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Prior to 0.23.0, the DAG-CBOR and DAG-JSON decoders recurse on each nested map or list without a depth limit. A payload containing deeply nested collections causes the decoder to recurse once per level, growing the goroutine stack until the Go runtime terminates the process with a fatal stack overflow (distinct from a recoverable panic). This vulnerability is fixed in 0.23.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-27
Last Modified
2026-06-01
Generated
2026-07-07
AI Q&A
2026-05-28
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
go-ipld-prime go-ipld-prime to 0.23.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-674 The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Detection Guidance

This vulnerability occurs due to unbounded recursion depth in the DAG-CBOR and DAG-JSON decoders of go-ipld-prime prior to version 0.23.0, which can cause a fatal stack overflow in the Go runtime.

To detect if your system is vulnerable, first verify the version of go-ipld-prime in use. If it is earlier than 0.23.0, your system is susceptible.

You can check the installed version by running commands such as:

  • go list -m github.com/ipld/go-ipld-prime
  • or check your project's go.mod file for the go-ipld-prime version.

To detect exploitation attempts or crashes caused by this vulnerability, monitor your application logs for fatal stack overflow errors or unexpected process terminations related to go-ipld-prime decoding operations.

Executive Summary

The vulnerability exists in go-ipld-prime versions prior to 0.23.0, specifically in the DAG-CBOR and DAG-JSON decoders. These decoders recursively process each nested map or list without any limit on the recursion depth. If a payload contains deeply nested collections, the decoder will recurse once per level, causing the goroutine stack to grow until the Go runtime terminates the process due to a fatal stack overflow. This termination is distinct from a recoverable panic.

Impact Analysis

This vulnerability can cause a denial of service by crashing the application process. When processing a maliciously crafted payload with deeply nested collections, the decoder's unbounded recursion leads to a fatal stack overflow, causing the Go runtime to terminate the process. This results in an availability impact, as the application becomes unavailable until restarted or recovered.

Mitigation Strategies

To mitigate this vulnerability, upgrade the go-ipld-prime package to version 0.23.0 or later, where the issue with unbounded recursion in the DAG-CBOR and DAG-JSON decoders has been fixed.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42328. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart