CVE-2026-32285 PUBLISHED

Denial of service in github.com/buger/jsonparser

Assigner: Go
Reserved: 11.03.2026 Published: 26.03.2026 Updated: 26.03.2026

The Delete function fails to properly validate offsets when processing malformed JSON input. This can lead to a negative slice index and a runtime panic, allowing a denial of service attack.

Product Status

Vendor	github.com/buger/jsonparser
Product	github.com/buger/jsonparser
Versions	Default: affected

References

https://github.com/buger/jsonparser/issues/275
https://github.com/golang/vulndb/issues/4514
https://pkg.go.dev/vuln/GO-2026-4514

Problem Types

CWE-125: Out-of-bounds Read