GHSA-FPF5-4JW8-67X8 rust-zserio has Unbounded Memory Allocation

Impact When deserializing arrays, strings or bytes blob types zserio first reads the size of the variable, and then allocates sufficient memory to load data. Since the size is always trusted this can be abused by creating a data file with a large size value, causing the zserio runtime to allocate...

CVE-2026-33666

Zserio is a framework for serializing structured data with a compact and efficient way with low overhead. Prior to 2.18.1, in BitStreamReader.h readBytes / readString, the setBitPosition bounds check receives the overflowed value and is completely bypassed. The code then reads len bytes 512 MB fr...

CVE-2026-33524

Zserio is a framework for serializing structured data with a compact and efficient way with low overhead. Prior to 2.18.1, a crafted payload as small as 4-5 bytes can force memory allocations of up to 16 GB, crashing any process with an OOM error Denial of Service. This vulnerability is fixed in...

Memory Allocation with Excessive Size Value

Overview Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value via the deserialization process. An attacker can cause excessive memory allocation leading to process crashes by submitting a specially crafted payload. Remediation Upgrade...

Integer Overflow or Wraparound

Overview Affected versions of this package are vulnerable to Integer Overflow or Wraparound via the readBytes or readString functions in BitStreamReader when the setBitPosition process receives an overflowed value, bypassing bounds checks. An attacker can cause a segmentation fault and potentiall...

CVE-2026-33666

Zserio is a framework for serializing structured data with a compact and efficient way with low overhead. Prior to 2.18.1, in BitStreamReader.h readBytes / readString, the setBitPosition bounds check receives the overflowed value and is completely bypassed. The code then reads len bytes 512 MB fr...

CVE-2026-33524

Zserio is a framework for serializing structured data with a compact and efficient way with low overhead. Prior to 2.18.1, a crafted payload as small as 4-5 bytes can force memory allocations of up to 16 GB, crashing any process with an OOM error Denial of Service. This vulnerability is fixed in...

CVE-2026-33666

Zserio has a vulnerability in BitStreamReader.h readBytes()/readString() prior to 2.18.1 where setBitPosition() bounds checking can be bypassed on overflow, causing the code to read a large len (up to 512 MB) from a very small buffer and trigger a segmentation fault. The issue is fixed in 2.18.1....

CVE-2026-33666

Zserio is a framework for serializing structured data with a compact and efficient way with low overhead. Prior to 2.18.1, in BitStreamReader.h readBytes / readString, the setBitPosition bounds check receives the overflowed value and is completely bypassed. The code then reads len bytes 512 MB fr...

CVE-2026-33666 Zserio: Integer Overflow in BitStreamReader on 32-bit platforms

Zserio is a framework for serializing structured data with a compact and efficient way with low overhead. Prior to 2.18.1, in BitStreamReader.h readBytes / readString, the setBitPosition bounds check receives the overflowed value and is completely bypassed. The code then reads len bytes 512 MB fr...

EUVD-2026-25591

Zserio is a framework for serializing structured data with a compact and efficient way with low overhead. Prior to 2.18.1, a crafted payload as small as 4-5 bytes can force memory allocations of up to 16 GB, crashing any process with an OOM error Denial of Service. This vulnerability is fixed in...

CVE-2026-33524

Summary (CVE-2026-33524): Zserio v2.18.0 and earlier are vulnerable to a Denial of Service via unbounded memory allocations during deserialization caused by an integer overflow in BitStreamReader/Array handling. A crafted payload as small as 4–5 bytes can trigger allocations up to 16 GB, crashing...

CVE-2026-33524 Zserio: Integer Overflow in BitStreamReader and Unbounded Memory Allocation in Deserialization

Zserio is a framework for serializing structured data with a compact and efficient way with low overhead. Prior to 2.18.1, a crafted payload as small as 4-5 bytes can force memory allocations of up to 16 GB, crashing any process with an OOM error Denial of Service. This vulnerability is fixed in...

CVE-2026-33524

Zserio is a framework for serializing structured data with a compact and efficient way with low overhead. Prior to 2.18.1, a crafted payload as small as 4-5 bytes can force memory allocations of up to 16 GB, crashing any process with an OOM error Denial of Service. This vulnerability is fixed in...

CVE-2026-33524 Zserio: Integer Overflow in BitStreamReader and Unbounded Memory Allocation in Deserialization

Zserio is a framework for serializing structured data with a compact and efficient way with low overhead. Prior to 2.18.1, a crafted payload as small as 4-5 bytes can force memory allocations of up to 16 GB, crashing any process with an OOM error Denial of Service. This vulnerability is fixed in...

go-zserio has Unbounded Memory Allocation for All Platforms

Impact When deserializing arrays, strings or bytes blob types zserio first reads the size of the variable, and then allocates sufficient memory to load data. Since the size is always trusted this can be abused by creating a data file with a large size value, causing the zserio runtime to allocate...

GHSA-XHJ4-G6W8-2XJW go-zserio has Unbounded Memory Allocation for All Platforms

Impact When deserializing arrays, strings or bytes blob types zserio first reads the size of the variable, and then allocates sufficient memory to load data. Since the size is always trusted this can be abused by creating a data file with a large size value, causing the zserio runtime to allocate...

GHSA-CWQ5-8PVQ-J65J Zserio Runtime: Integer Overflow in BitStreamReader and Unbounded Memory Allocation in Deserialization

Summary Unbounded Memory Allocation all platforms A crafted payload as small as 4-5 bytes can force memory allocations of up to 16 GB, crashing any process with an OOM error Denial of Service. Affected code C++: - cpp/runtime/src/zserio/Array.h line 1029 — mrawArray.reservereadLength with uncheck...

Zserio Runtime: Integer Overflow in BitStreamReader and Unbounded Memory Allocation in Deserialization

Summary Unbounded Memory Allocation all platforms A crafted payload as small as 4-5 bytes can force memory allocations of up to 16 GB, crashing any process with an OOM error Denial of Service. Affected code C++: - cpp/runtime/src/zserio/Array.h line 1029 — mrawArray.reservereadLength with uncheck...

PT-2026-35056

Name of the Vulnerable Software and Affected Versions Zserio versions prior to 2.18.1 Description An issue exists in the readBytes and readString functions within BitStreamReader.h where the setBitPosition bounds check receives an overflowed value and is bypassed. This allows the system to attemp...