CVE-2026-35480

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score

6.2 / 10

Vector String

                                        CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H                                    

Vulnerability Description

go-ipld-prime is an implementation of the InterPlanetary Linked Data (IPLD) spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Prior to 0.22.0, the DAG-CBOR decoder uses collection sizes declared in CBOR headers as Go preallocation hints for maps and lists. The decoder does not cap these size hints or account for their cost in its allocation budget, allowing small payloads to cause excessive memory allocation. This vulnerability is fixed in 0.22.0.

Vulnerability Details

Published Date

April 06, 2026

Last Modified

April 08, 2026

CWE ID

CWE-770

Source

GitHub

Vendor

Product

github.com/ipld/go-ipld-prime

External References

https://github.com/ipld/go-ipld-prime/security/advisories/GHSA-378j-3jfj-8r9f
https://github.com/ipld/go-ipld-prime/commit/e43bf4a27055fe8d895671a731ee5041e2d983a9
https://github.com/ipld/go-ipld-prime/releases/tag/v0.22.0
https://github.com/advisories/GHSA-378j-3jfj-8r9f

CVE-2026-35480

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment