CVE-2026-42328
Received Received - Intake
Stack Overflow in go-ipld-prime CBOR Decoder

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: GitHub, Inc.

Description
go-ipld-prime is an implementation of the InterPlanetary Linked Data (IPLD) spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Prior to 0.23.0, the DAG-CBOR and DAG-JSON decoders recurse on each nested map or list without a depth limit. A payload containing deeply nested collections causes the decoder to recurse once per level, growing the goroutine stack until the Go runtime terminates the process with a fatal stack overflow (distinct from a recoverable panic). This vulnerability is fixed in 0.23.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-05-28
AI Q&A
2026-05-28
EPSS Evaluated
N/A
NVD
CVE-2026-42328
EUVD
EUVD-2026-32581
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
go-ipld-prime go-ipld-prime to 0.23.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-674 The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.


Can you explain this vulnerability to me?

The vulnerability exists in go-ipld-prime versions prior to 0.23.0, specifically in the DAG-CBOR and DAG-JSON decoders. These decoders recursively process each nested map or list without any limit on the recursion depth. If a payload contains deeply nested collections, the decoder will recurse once per level, causing the goroutine stack to grow until the Go runtime terminates the process due to a fatal stack overflow. This termination is distinct from a recoverable panic.


How can this vulnerability impact me? :

This vulnerability can cause a denial of service by crashing the application process. When processing a maliciously crafted payload with deeply nested collections, the decoder's unbounded recursion leads to a fatal stack overflow, causing the Go runtime to terminate the process. This results in an availability impact, as the application becomes unavailable until restarted or recovered.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade the go-ipld-prime package to version 0.23.0 or later, where the issue with unbounded recursion in the DAG-CBOR and DAG-JSON decoders has been fixed.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart