CVE-2026-32284

HIGH 7.5

Denial of service in github.com/shamaton/msgpack

CVSS Score

7.5

EPSS Score

0.0%

EPSS Percentile

4th

The msgpack decoder fails to properly validate the input buffer length when processing truncated fixext data (format codes 0xd4-0xd8). This can lead to an out-of-bounds read and a runtime panic, allowing a denial of service attack.

Vendor	github.com/shamaton/msgpack
Product	github.com/shamaton/msgpack
Published	Mar 26, 2026
Last Updated	Mar 30, 2026

Stay Ahead of the Next One

Get instant alerts for github.com/shamaton/msgpack github.com/shamaton/msgpack

Be the first to know when new high vulnerabilities affecting github.com/shamaton/msgpack github.com/shamaton/msgpack are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

github.com/shamaton/msgpack / github.com/shamaton/msgpack

All versions affected

github.com/shamaton/msgpack/v2 / github.com/shamaton/msgpack/v2

All versions affected

github.com/shamaton/msgpack/v3 / github.com/shamaton/msgpack/v3

All versions affected

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/shamaton/msgpack/issues/59 github.com: https://github.com/golang/vulndb/issues/4513 pkg.go.dev: https://pkg.go.dev/vuln/GO-2026-4513 securityinfinity.com: https://securityinfinity.com/research/shamaton-msgpack-oob-panic-fixext-dos-2026