GHSA-378J-3JFJ-8R9F

Vulnerability from github – Published: 2026-04-06 23:08 – Updated: 2026-04-07 20:00
VLAI?
Summary
go-ipld-prime: DAG-CBOR decoder unbounded memory allocation from CBOR headers
Details

The DAG-CBOR decoder uses collection sizes declared in CBOR headers as Go preallocation hints for maps and lists. The decoder does not cap these size hints or account for their cost in its allocation budget, allowing small payloads to cause excessive memory allocation.

A CBOR map or list header can declare an arbitrarily large number of entries, causing the decoder to preallocate proportionally large backing structures before any entries are actually read. Because the allocation budget is only decremented as entries are decoded (not when sizes are declared), this cost is effectively invisible to the budget system. This is compounded by nesting: each level of a nested structure triggers its own unchecked preallocation while consuming minimal budget (one entry per parent level), so a payload under 100 bytes with 10 levels of nesting can cause over 9GB of allocation.

Schema-free decoding (i.e. using basicnode.Prototype.Any) allows arbitrary nesting depth. Schema-bound decoding limits nesting to the schema's structure, but any field typed as Any in the schema permits unconstrained nesting within that field.

The fix caps the preallocation size hint to 1024 entries and decrements the allocation budget when collection sizes are declared. The declared length is still used for entry-count validation, and collections grow dynamically as entries are decoded, so correctly-formed data is unaffected, even beyond the preallocation limit.

Severity ?
6.2 (Medium)
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/ipld/go-ipld-prime"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.22.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-35480"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-06T23:08:24Z",
    "nvd_published_at": "2026-04-07T15:17:45Z",
    "severity": "MODERATE"
  },
  "details": "The DAG-CBOR decoder uses collection sizes declared in CBOR headers as Go preallocation hints for maps and lists. The decoder does not cap these size hints or account for their cost in its allocation budget, allowing small payloads to cause excessive memory allocation.\n\nA CBOR map or list header can declare an arbitrarily large number of entries, causing the decoder to preallocate proportionally large backing structures before any entries are actually read. Because the allocation budget is only decremented as entries are decoded (not when sizes are declared), this cost is effectively invisible to the budget system. This is compounded by nesting: each level of a nested structure triggers its own unchecked preallocation while consuming minimal budget (one entry per parent level), so a payload under 100 bytes with 10 levels of nesting can cause over 9GB of allocation.\n\nSchema-free decoding (i.e. using `basicnode.Prototype.Any`) allows arbitrary nesting depth. Schema-bound decoding limits nesting to the schema\u0027s structure, but any field typed as `Any` in the schema permits unconstrained nesting within that field.\n\nThe fix caps the preallocation size hint to 1024 entries and decrements the allocation budget when collection sizes are declared. The declared length is still used for entry-count validation, and collections grow dynamically as entries are decoded, so correctly-formed data is unaffected, even beyond the preallocation limit.",
  "id": "GHSA-378j-3jfj-8r9f",
  "modified": "2026-04-07T20:00:26Z",
  "published": "2026-04-06T23:08:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ipld/go-ipld-prime/security/advisories/GHSA-378j-3jfj-8r9f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35480"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ipld/go-ipld-prime/commit/e43bf4a27055fe8d895671a731ee5041e2d983a9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ipld/go-ipld-prime"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ipld/go-ipld-prime/releases/tag/v0.22.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "go-ipld-prime: DAG-CBOR decoder unbounded memory allocation from CBOR headers"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.