CVE-2026-35480
go-ipld-prime's DAG-CBOR decoder unbounded memory allocation from CBOR headers
CVSS Score
6.2
EPSS Score
0.0%
EPSS Percentile
2th
go-ipld-prime is an implementation of the InterPlanetary Linked Data (IPLD) spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Prior to 0.22.0, the DAG-CBOR decoder uses collection sizes declared in CBOR headers as Go preallocation hints for maps and lists. The decoder does not cap these size hints or account for their cost in its allocation budget, allowing small payloads to cause excessive memory allocation. This vulnerability is fixed in 0.22.0.
| CWE | CWE-770 |
| Vendor | ipld |
| Product | go-ipld-prime |
| Published | Apr 7, 2026 |
| Last Updated | Apr 9, 2026 |
Stay Ahead of the Next One
Get instant alerts for ipld go-ipld-prime
Be the first to know when new medium vulnerabilities affecting ipld go-ipld-prime are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Affected Versions
ipld / go-ipld-prime
< 0.22.0