CVE-2026-32284
Published: 26 March 2026
Summary
CVE-2026-32284 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Shamaton Msgpack. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).
Deeper analysis
CVE-2026-32284 is a vulnerability in the msgpack decoder of the shamaton/msgpack Go library. The decoder fails to properly validate the input buffer length when processing truncated fixext data using format codes 0xd4 through 0xd8, resulting in an out-of-bounds read and a runtime panic that enables a denial-of-service condition. The issue was published on 2026-03-26 and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
A remote, unauthenticated attacker can exploit this vulnerability over the network with low attack complexity and no user interaction required. By supplying specially crafted, truncated fixext data to the decoder, the attacker triggers an out-of-bounds read, causing the application to panic and crash, thereby disrupting service availability.
Advisories and patches are detailed in the Go vulnerability database entry at pkg.go.dev/vuln/GO-2026-4513, the shamaton/msgpack GitHub issue at github.com/shamaton/msgpack/issues/59, the Go vulndb issue at github.com/golang/vulndb/issues/4513, and a research post from Security Infinity at securityinfinity.com/research/shamaton-msgpack-oob-panic-fixext-dos-2026.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-16343
Vulnerability details
The msgpack decoder fails to properly validate the input buffer length when processing truncated fixext data (format codes 0xd4-0xd8). This can lead to an out-of-bounds read and a runtime panic, allowing a denial of service attack.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote network exploitation of the msgpack decoder flaw triggers application panic/crash for DoS; directly maps to T1190 (public-facing app exploitation) and T1499.004 (application/system exploitation for availability impact).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely remediation of the specific msgpack decoder flaw via patches referenced in GO-2026-4513 to eliminate the out-of-bounds read vulnerability.
Mandates validation of input buffer lengths for fixext format codes 0xd4-0xd8 to block truncated msgpack data from triggering the decoder flaw.
Ensures error handling for out-of-bounds reads in the msgpack decoder prevents runtime panics and resulting denial-of-service crashes.