SUSE CVE-2026-35480

go-ipld-prime is an implementation of the InterPlanetary Linked Data IPLD spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Prior to 0.22.0, the DAG-CBOR decoder uses collection sizes declared in CBOR headers a...

CVE-2026-35480

CVE-2026-35480 affects the go-ipld-prime project, specifically the DAG-CBOR decoder. Prior to version 0.22.0, the decoder uses collection size hints from CBOR headers as preallocation hints for maps and lists without capping them or accounting for their cost in its allocation budget. This can lea...

CVE-2026-35480 go-ipld-prime's DAG-CBOR decoder unbounded memory allocation from CBOR headers

go-ipld-prime is an implementation of the InterPlanetary Linked Data IPLD spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Prior to 0.22.0, the DAG-CBOR decoder uses collection sizes declared in CBOR headers a...

GHSA-378J-3JFJ-8R9F go-ipld-prime: DAG-CBOR decoder unbounded memory allocation from CBOR headers

The DAG-CBOR decoder uses collection sizes declared in CBOR headers as Go preallocation hints for maps and lists. The decoder does not cap these size hints or account for their cost in its allocation budget, allowing small payloads to cause excessive memory allocation. A CBOR map or list header c...

PT-2026-30757

Name of the Vulnerable Software and Affected Versions go-ipld-prime versions prior to 0.22.0 Description go-ipld-prime’s DAG-CBOR decoder does not limit the size of preallocations for maps and lists based on CBOR headers, potentially leading to excessive memory allocation from small payloads...