DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-FPF5-4JW8-67X8: GHSA-FPF5-4JW8-67X8: Unbounded Memory Allocation in rust-zserio

#security #cve #cybersecurity #ghsa

GHSA-FPF5-4JW8-67X8: Unbounded Memory Allocation in rust-zserio

Vulnerability ID: GHSA-FPF5-4JW8-67X8
CVSS Score: 7.5
Published: 2026-05-07

A critical vulnerability exists in the rust-zserio crate regarding how auto-generated deserialization routines handle variable-length structures. By supplying a maliciously crafted Zserio bitstream with an artificially inflated size header, an attacker can force the application to request massive memory allocations, resulting in an Out-of-Memory (OOM) panic and process termination.

TL;DR

Unbounded memory allocation in rust-zserio allows remote attackers to trigger an Out-of-Memory crash by providing malformed bitstreams with massive array lengths.

⚠️ Exploit Status: POC

Technical Details

  • CWE: CWE-770
  • Attack Vector: Network (Malicious Payload)
  • Impact: Denial of Service (DoS)
  • Exploit Status: Proof of Concept (PoC) Available
  • Authentication Required: None
  • Remediation: Code Generator Update

Affected Systems

  • Software leveraging rust-zserio versions prior to May 1, 2026
  • Systems parsing untrusted Zserio payloads using generated Rust code
  • rust-zserio: < 57f5fb4a2a8611d58dbcc1a9221349206dd99c3c (Fixed in: 57f5fb4a2a8611d58dbcc1a9221349206dd99c3c)

Code Analysis

Commit: 57f5fb4

Implemented chunked array allocation and incremental growth logic to prevent OOM.

Mitigation Strategies

  • Update the rust-zserio crate to a version containing the fix commit.
  • Regenerate all previously generated Rust code for Zserio decoding.
  • Implement network-layer access controls to limit exposure of endpoints parsing Zserio structures.

Remediation Steps:

  1. Bump the rust-zserio dependency in Cargo.toml to the patched version.
  2. Execute the build process to trigger the internal generator.
  3. Verify that the newly generated code uses push-based loops instead of vec! macro initializations.
  4. Optionally configure the array allocation chunk size using zserio::set_array_alloc_chunk() to fine-tune memory profiles.

References

Read the full report for GHSA-FPF5-4JW8-67X8 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)