DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-35480: CVE-2026-35480: Unbounded Memory Allocation and Denial of Service in go-ipld-prime DAG-CBOR Decoder

#security #cve #cybersecurity

CVE-2026-35480: Unbounded Memory Allocation and Denial of Service in go-ipld-prime DAG-CBOR Decoder

Vulnerability ID: CVE-2026-35480
CVSS Score: 6.2
Published: 2026-04-06

The go-ipld-prime library prior to version 0.22.0 suffers from a resource exhaustion vulnerability in its DAG-CBOR decoding implementation. Maliciously crafted CBOR payloads containing artificially large declared collection sizes bypass early budget checks, triggering massive upfront memory allocations that result in immediate application crashes.

TL;DR

A flaw in the go-ipld-prime DAG-CBOR decoder allows attackers to trigger Out-of-Memory (OOM) crashes via small payloads with large declared map or list lengths. The vulnerability is fixed in version 0.22.0.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-770
  • Attack Vector: Local / Network
  • CVSS Score: 6.2
  • Exploit Status: Proof of Concept (Unit Tests)
  • CISA KEV: Not Listed
  • Impact: High Availability Impact (DoS)

Affected Systems

  • go-ipld-prime DAG-CBOR Decoder
  • go-ipld-prime: < 0.22.0 (Fixed in: 0.22.0)

Code Analysis

Commit: e43bf4a

Fix unbounded memory allocation during unmarshal in dagcbor codec

Exploit Details

  • Patch Unit Tests: Unit tests verifying allocation cap behavior provide a logical structure for reproduction.

Mitigation Strategies

  • Upgrade go-ipld-prime to version 0.22.0
  • Implement application-level recovery and health checks to restart crashed Go services
  • Audit dependency trees for transitive inclusions of vulnerable go-ipld-prime versions

Remediation Steps:

  1. Update go.mod to specify github.com/ipld/go-ipld-prime v0.22.0
  2. Execute 'go mod tidy' to synchronize dependencies
  3. Recompile the application and deploy the updated binaries
  4. Monitor application memory metrics post-deployment to ensure stable baseline consumption

References

Read the full report for CVE-2026-35480 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)