Medium severity6.2NVD Advisory· Published Apr 7, 2026· Updated Apr 17, 2026
CVE-2026-35480
CVE-2026-35480
Description
go-ipld-prime is an implementation of the InterPlanetary Linked Data (IPLD) spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Prior to 0.22.0, the DAG-CBOR decoder uses collection sizes declared in CBOR headers as Go preallocation hints for maps and lists. The decoder does not cap these size hints or account for their cost in its allocation budget, allowing small payloads to cause excessive memory allocation. This vulnerability is fixed in 0.22.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/ipld/go-ipld-primeGo | < 0.22.0 | 0.22.0 |
Affected products
37- osv-coords36 versionspkg:apk/chainguard/ipfs-clusterpkg:apk/chainguard/ipfs-cluster-fipspkg:apk/chainguard/k3spkg:apk/chainguard/k3s-1.31pkg:apk/chainguard/k3s-1.32pkg:apk/chainguard/k3s-1.33pkg:apk/chainguard/k3s-1.34pkg:apk/chainguard/k3s-1.35pkg:apk/chainguard/k3s-staticpkg:apk/chainguard/k3s-static-1.31pkg:apk/chainguard/k3s-static-1.32pkg:apk/chainguard/k3s-static-1.33pkg:apk/chainguard/k3s-static-1.34pkg:apk/chainguard/k3s-static-1.35pkg:apk/chainguard/rke2-runtime-1.33pkg:apk/chainguard/rke2-runtime-1.34pkg:apk/chainguard/rke2-runtime-1.35pkg:apk/chainguard/rke2-runtime-fips-1.33pkg:apk/chainguard/rke2-runtime-fips-1.34pkg:apk/chainguard/rke2-runtime-fips-1.35pkg:apk/chainguard/spegelpkg:apk/chainguard/spegel-fipspkg:apk/wolfi/ipfs-clusterpkg:apk/wolfi/k3spkg:apk/wolfi/k3s-1.32pkg:apk/wolfi/k3s-1.33pkg:apk/wolfi/k3s-1.34pkg:apk/wolfi/k3s-1.35pkg:apk/wolfi/k3s-staticpkg:apk/wolfi/k3s-static-1.32pkg:apk/wolfi/k3s-static-1.33pkg:apk/wolfi/k3s-static-1.34pkg:apk/wolfi/k3s-static-1.35pkg:apk/wolfi/spegelpkg:golang/github.com/ipld/go-ipld-primepkg:rpm/opensuse/kubo&distro=openSUSE%20Tumbleweed
< 1.1.5-r11+ 35 more
- (no CPE)range: < 1.1.5-r11
- (no CPE)range: < 1.1.5-r8
- (no CPE)range: < 1.35.3.1-r5
- (no CPE)range: < 1.31.6.1-r22
- (no CPE)range: < 1.32.13.1-r10
- (no CPE)range: < 1.33.10.1-r3
- (no CPE)range: < 1.34.6.1-r5
- (no CPE)range: < 1.35.3.1-r4
- (no CPE)range: < 1.35.3.1-r5
- (no CPE)range: < 1.31.6.1-r22
- (no CPE)range: < 1.32.13.1-r10
- (no CPE)range: < 1.33.10.1-r3
- (no CPE)range: < 1.34.6.1-r5
- (no CPE)range: < 1.35.3.1-r4
- (no CPE)range: < 1.33.10.2.2-r1
- (no CPE)range: < 1.34.6.2.3-r4
- (no CPE)range: < 1.35.3.2.3-r4
- (no CPE)range: < 1.33.10.2.3-r2
- (no CPE)range: < 1.34.8.2.1-r0
- (no CPE)range: < 1.35.5.2.1-r0
- (no CPE)range: < 0.6.0-r11
- (no CPE)range: < 0.6.0-r8
- (no CPE)range: < 1.1.5-r11
- (no CPE)range: < 1.35.3.1-r5
- (no CPE)range: < 1.32.13.1-r10
- (no CPE)range: < 1.33.10.1-r3
- (no CPE)range: < 1.34.6.1-r5
- (no CPE)range: < 1.35.3.1-r4
- (no CPE)range: < 1.35.3.1-r5
- (no CPE)range: < 1.32.13.1-r10
- (no CPE)range: < 1.33.10.1-r3
- (no CPE)range: < 1.34.6.1-r5
- (no CPE)range: < 1.35.3.1-r4
- (no CPE)range: < 0.6.0-r11
- (no CPE)range: < 0.22.0
- (no CPE)range: < 0.40.1-1.1
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-378j-3jfj-8r9fghsaADVISORY
- github.com/ipld/go-ipld-prime/security/advisories/GHSA-378j-3jfj-8r9fnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-35480ghsaADVISORY
- github.com/ipld/go-ipld-prime/commit/e43bf4a27055fe8d895671a731ee5041e2d983a9ghsaWEB
- github.com/ipld/go-ipld-prime/releases/tag/v0.22.0ghsaWEB
News mentions
0No linked articles in our index yet.