High severity7.5NVD Advisory· Published Mar 26, 2026· Updated Jun 3, 2026
CVE-2026-32284
CVE-2026-32284
Description
The msgpack decoder fails to properly validate the input buffer length when processing truncated fixext data (format codes 0xd4-0xd8). This can lead to an out-of-bounds read and a runtime panic, allowing a denial of service attack.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/shamaton/msgpack/v2Go | <= 2.4.0 | — |
github.com/shamaton/msgpack/v3Go | <= 3.1.0 | — |
Affected products
7- osv-coords5 versionspkg:apk/chainguard/flytepkg:apk/wolfi/flytepkg:golang/github.com/shamaton/msgpack/v2pkg:golang/github.com/shamaton/msgpack/v3pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
< 1.16.7-r0+ 4 more
- (no CPE)range: < 1.16.7-r0
- (no CPE)range: < 1.16.7-r0
- (no CPE)range: <= 2.4.0
- (no CPE)range: <= 3.1.0
- (no CPE)range: < 0.0.20260326T203309-150000.1.155.2
Patches
Vulnerability mechanics
References
6- securityinfinity.com/research/shamaton-msgpack-oob-panic-fixext-dos-2026nvdExploitThird Party AdvisoryWEB
- github.com/advisories/GHSA-h9q6-hc68-35rpghsaADVISORY
- github.com/golang/vulndb/issues/4513nvdIssue TrackingThird Party AdvisoryWEB
- github.com/shamaton/msgpack/issues/59nvdIssue TrackingVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-32284ghsaADVISORY
- pkg.go.dev/vuln/GO-2026-4513nvdThird Party AdvisoryWEB
News mentions
0No linked articles in our index yet.