2 matches found
CVE-2026-21452
MessagePack for Java is a serializer implementation for Java. A denial-of-service vulnerability exists in versions prior to 0.9.11 when deserializing .msgpack files containing EXT32 objects with attacker-controlled payload lengths. While MessagePack-Java parses extension headers lazily, it later...
CVE-2026-21452
CVE-2026-21452 affects MessagePack for Java prior to 0.9.11. During deserialization of .msgpack files containing EXT32 objects with attacker-controlled payload lengths, ExtensionValue.getData() allocates a byte array based on the declared length without upper-bound checks, enabling remote DoS via...