CVE-2026-32284 PUBLISHED

Denial of service in github.com/shamaton/msgpack

Assigner: Go
Reserved: 11.03.2026 Published: 26.03.2026 Updated: 26.03.2026

The msgpack decoder fails to properly validate the input buffer length when processing truncated fixext data (format codes 0xd4-0xd8). This can lead to an out-of-bounds read and a runtime panic, allowing a denial of service attack.

Product Status

Vendor	github.com/shamaton/msgpack
Product	github.com/shamaton/msgpack
Versions	Default: affected

Vendor	github.com/shamaton/msgpack/v2
Product	github.com/shamaton/msgpack/v2
Versions	Default: affected

Vendor	github.com/shamaton/msgpack/v3
Product	github.com/shamaton/msgpack/v3
Versions	Default: affected

References

https://github.com/shamaton/msgpack/issues/59
https://github.com/golang/vulndb/issues/4513
https://pkg.go.dev/vuln/GO-2026-4513

Problem Types

CWE-125: Out-of-bounds Read