{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35480", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-02T20:49:44.453Z", "datePublished": "2026-04-07T14:43:24.781Z", "dateUpdated": "2026-04-09T14:40:11.103Z"}, "containers": {"cna": {"title": "go-ipld-prime's DAG-CBOR decoder unbounded memory allocation from CBOR headers", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/ipld/go-ipld-prime/security/advisories/GHSA-378j-3jfj-8r9f", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ipld/go-ipld-prime/security/advisories/GHSA-378j-3jfj-8r9f"}], "affected": [{"vendor": "ipld", "product": "go-ipld-prime", "versions": [{"version": "< 0.22.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T14:43:24.781Z"}, "descriptions": [{"lang": "en", "value": "go-ipld-prime is an implementation of the InterPlanetary Linked Data (IPLD) spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Prior to 0.22.0, the DAG-CBOR decoder uses collection sizes declared in CBOR headers as Go preallocation hints for maps and lists. The decoder does not cap these size hints or account for their cost in its allocation budget, allowing small payloads to cause excessive memory allocation. This vulnerability is fixed in 0.22.0."}], "source": {"advisory": "GHSA-378j-3jfj-8r9f", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T14:40:02.350803Z", "id": "CVE-2026-35480", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T14:40:11.103Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35480", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-09T14:40:02.350803Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T14:40:07.398Z"}}], "cna": {"title": "go-ipld-prime's DAG-CBOR decoder unbounded memory allocation from CBOR headers", "source": {"advisory": "GHSA-378j-3jfj-8r9f", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.2, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "ipld", "product": "go-ipld-prime", "versions": [{"status": "affected", "version": "< 0.22.0"}]}], "references": [{"url": "https://github.com/ipld/go-ipld-prime/security/advisories/GHSA-378j-3jfj-8r9f", "name": "https://github.com/ipld/go-ipld-prime/security/advisories/GHSA-378j-3jfj-8r9f", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "go-ipld-prime is an implementation of the InterPlanetary Linked Data (IPLD) spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Prior to 0.22.0, the DAG-CBOR decoder uses collection sizes declared in CBOR headers as Go preallocation hints for maps and lists. The decoder does not cap these size hints or account for their cost in its allocation budget, allowing small payloads to cause excessive memory allocation. This vulnerability is fixed in 0.22.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T14:43:24.781Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35480", "state": "PUBLISHED", "dateUpdated": "2026-04-09T14:40:11.103Z", "dateReserved": "2026-04-02T20:49:44.453Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-07T14:43:24.781Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "go-ipld-prime is an implementation of the InterPlanetary Linked Data (IPLD) spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Prior to 0.22.0, the DAG-CBOR decoder uses collection sizes declared in CBOR headers as Go preallocation hints for maps and lists. The decoder does not cap these size hints or account for their cost in its allocation budget, allowing small payloads to cause excessive memory allocation. This vulnerability is fixed in 0.22.0."}], "id": "CVE-2026-35480", "lastModified": "2026-04-08T21:27:15.610", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T15:17:45.117", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/ipld/go-ipld-prime/security/advisories/GHSA-378j-3jfj-8r9f"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.22.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "go-ipld-prime", "vendor": "ipld"}], "analysis": {"en": {"generated_at": "2026-04-07T19:51:08.705731+00:00", "value": {"mitigation_remediation": ["Update go-ipld-prime to version 0.22.0 or later, which corrects the parser allocation logic.", "If an upgrade is not immediately feasible, restrict the size of CBOR messages accepted by the application or validate payload size before decoding.", "Monitor system memory usage and set appropriate limits or cgroups to contain potential memory exhaustion attacks."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "go-ipld-prime, a Go implementation of IPLD for CBOR, before version 0.22.0. Any application using this library and processing CBOR input falls under the risk.", "description_and_impact": "The vulnerability in the DAG-CBOR decoder allows an attacker to cause an unbounded memory allocation by embedding large collection size hints in CBOR headers. The decoder does not cap these hints, so a crafted payload can trigger the application to allocate memory far beyond normal limits, leading to crashes or severe performance degradation. This is a memory allocation overflow with potential to deny service.", "risk_and_exploitability": "The CVSS score is 6.2 indicating moderate severity, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to supply a CBOR payload, so any exposed service or component that decodes CBOR could be targeted. The lack of EPSS data prevents a precise risk estimate, but the potential for resource exhaustion suggests that the risk remains significant for systems with untrusted CBOR input."}}}}, "created": "2026-04-08T19:48:43.676683+00:00", "updated": "2026-04-09T08:24:20.818173+00:00", "vendors": ["ipld", "ipld$PRODUCT$go-ipld-prime"]}