Cyber Resilience

CVE-2026-32284

HighPublic PoCUpdated

Published: 26 March 2026

Published
26 March 2026
Modified
03 June 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0008 24.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32284 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Shamaton Msgpack. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).

Deeper analysis

CVE-2026-32284 is a vulnerability in the msgpack decoder of the shamaton/msgpack Go library. The decoder fails to properly validate the input buffer length when processing truncated fixext data using format codes 0xd4 through 0xd8, resulting in an out-of-bounds read and a runtime panic that enables a denial-of-service condition. The issue was published on 2026-03-26 and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A remote, unauthenticated attacker can exploit this vulnerability over the network with low attack complexity and no user interaction required. By supplying specially crafted, truncated fixext data to the decoder, the attacker triggers an out-of-bounds read, causing the application to panic and crash, thereby disrupting service availability.

Advisories and patches are detailed in the Go vulnerability database entry at pkg.go.dev/vuln/GO-2026-4513, the shamaton/msgpack GitHub issue at github.com/shamaton/msgpack/issues/59, the Go vulndb issue at github.com/golang/vulndb/issues/4513, and a research post from Security Infinity at securityinfinity.com/research/shamaton-msgpack-oob-panic-fixext-dos-2026.

EU & UK References

Vulnerability details

The msgpack decoder fails to properly validate the input buffer length when processing truncated fixext data (format codes 0xd4-0xd8). This can lead to an out-of-bounds read and a runtime panic, allowing a denial of service attack.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote network exploitation of the msgpack decoder flaw triggers application panic/crash for DoS; directly maps to T1190 (public-facing app exploitation) and T1499.004 (application/system exploitation for availability impact).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-41604Shared CWE-125
CVE-2026-30997Shared CWE-125
CVE-2026-40890Shared CWE-125
CVE-2026-26008Shared CWE-125
CVE-2026-41475Shared CWE-125
CVE-2026-25898Shared CWE-125
CVE-2026-21888Shared CWE-125
CVE-2026-4750Shared CWE-125
CVE-2026-41503Shared CWE-125
CVE-2026-26264Shared CWE-125

Affected Assets

shamaton
msgpack
≤ 3.1.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of the specific msgpack decoder flaw via patches referenced in GO-2026-4513 to eliminate the out-of-bounds read vulnerability.

prevent

Mandates validation of input buffer lengths for fixext format codes 0xd4-0xd8 to block truncated msgpack data from triggering the decoder flaw.

prevent

Ensures error handling for out-of-bounds reads in the msgpack decoder prevents runtime panics and resulting denial-of-service crashes.

References