CVE-2026-35480

EPSS 0.01%
Veröffentlicht 07.04.2026 14:43:24
Zuletzt bearbeitet 17.04.2026 19:45:58
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

go-ipld-prime is an implementation of the InterPlanetary Linked Data (IPLD) spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Prior to 0.22.0, the DAG-CBOR decoder uses collection sizes declared in CBOR headers as Go preallocation hints for maps and lists. The decoder does not cap these size hints or account for their cost in its allocation budget, allowing small payloads to cause excessive memory allocation. This vulnerability is fixed in 0.22.0.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Protocol ≫ Go-ipld-prime SwPlatformgo Version < 0.22.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.021

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	6.2	2.5	3.6	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

https://github.com/ipld/go-ipld-prime/security/advisories/GHSA-378j-3jfj-8r9f

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-35480

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-35480

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-35480

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-35480