CVE-2026-42328
Description
go-ipld-prime is an implementation of the InterPlanetary Linked Data (IPLD) spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Prior to 0.23.0, the DAG-CBOR and DAG-JSON decoders recurse on each nested map or list without a depth limit. A payload containing deeply nested collections causes the decoder to recurse once per level, growing the goroutine stack until the Go runtime terminates the process with a fatal stack overflow (distinct from a recoverable panic). This vulnerability is fixed in 0.23.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/ipld/go-ipld-primeGo | < 0.23.0 | 0.23.0 |
Affected products
34- Range: < 0.23.0
- osv-coords33 versionspkg:apk/chainguard/ipfs-clusterpkg:apk/chainguard/ipfs-cluster-fipspkg:apk/chainguard/k3s-1.31pkg:apk/chainguard/k3s-1.32pkg:apk/chainguard/k3s-1.33pkg:apk/chainguard/k3s-1.34pkg:apk/chainguard/k3s-1.35pkg:apk/chainguard/k3s-staticpkg:apk/chainguard/k3s-static-1.31pkg:apk/chainguard/k3s-static-1.32pkg:apk/chainguard/k3s-static-1.33pkg:apk/chainguard/k3s-static-1.34pkg:apk/chainguard/k3s-static-1.35pkg:apk/chainguard/rke2-runtime-1.33pkg:apk/chainguard/rke2-runtime-1.34pkg:apk/chainguard/rke2-runtime-1.35pkg:apk/chainguard/rke2-runtime-fips-1.34pkg:apk/chainguard/rke2-runtime-fips-1.35pkg:apk/chainguard/rke2-runtime-fips-1.36pkg:apk/chainguard/spegelpkg:apk/chainguard/spegel-fipspkg:apk/wolfi/ipfs-clusterpkg:apk/wolfi/k3s-1.32pkg:apk/wolfi/k3s-1.33pkg:apk/wolfi/k3s-1.34pkg:apk/wolfi/k3s-1.35pkg:apk/wolfi/k3s-staticpkg:apk/wolfi/k3s-static-1.32pkg:apk/wolfi/k3s-static-1.33pkg:apk/wolfi/k3s-static-1.34pkg:apk/wolfi/k3s-static-1.35pkg:apk/wolfi/spegelpkg:golang/github.com/ipld/go-ipld-prime
< 1.1.5-r14+ 32 more
- (no CPE)range: < 1.1.5-r14
- (no CPE)range: < 1.1.5-r12
- (no CPE)range: < 1.31.6.1-r23
- (no CPE)range: < 1.32.13.1-r15
- (no CPE)range: < 1.33.10.1-r10
- (no CPE)range: < 1.34.6.1-r16
- (no CPE)range: < 1.35.3.1-r7
- (no CPE)range: < 1.35.3.1-r7
- (no CPE)range: < 1.31.6.1-r23
- (no CPE)range: < 1.32.13.1-r15
- (no CPE)range: < 1.33.10.1-r10
- (no CPE)range: < 1.34.6.1-r16
- (no CPE)range: < 1.35.3.1-r7
- (no CPE)range: < 1.33.11.2.1-r2
- (no CPE)range: < 1.34.7.2.1-r2
- (no CPE)range: < 1.35.4.2.1-r1
- (no CPE)range: < 1.34.8.2.1-r1
- (no CPE)range: < 1.35.5.2.2-r2
- (no CPE)range: < 1.36.1.2.2-r2
- (no CPE)range: < 0.7.0-r2
- (no CPE)range: < 0.7.0-r1
- (no CPE)range: < 1.1.5-r14
- (no CPE)range: < 1.32.13.1-r15
- (no CPE)range: < 1.33.10.1-r10
- (no CPE)range: < 1.34.6.1-r16
- (no CPE)range: < 1.35.3.1-r7
- (no CPE)range: < 1.35.3.1-r7
- (no CPE)range: < 1.32.13.1-r15
- (no CPE)range: < 1.33.10.1-r10
- (no CPE)range: < 1.34.6.1-r16
- (no CPE)range: < 1.35.3.1-r7
- (no CPE)range: < 0.7.0-r2
- (no CPE)range: < 0.23.0
Patches
Vulnerability mechanics
References
3News mentions
0No linked articles in our index yet.