CVE-2026-32285

HighPublic PoC

Published: 26 March 2026

Published

26 March 2026

Modified

21 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0003 8.2th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32285 is a high-severity Improper Validation of Array Index (CWE-129) vulnerability in Jsonparser Project Jsonparser. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Timely patching of the jsonparser library flaw directly eliminates the improper offset validation leading to runtime panic and DoS.

SI-10 Information Input Validation good match

prevent

Validating malformed JSON inputs before passing to the Delete function prevents negative slice indices and subsequent panics.

SI-11 Error Handling good match

prevent

Robust error handling ensures invalid offsets do not trigger runtime panics, avoiding application crashes from DoS attacks.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Remote exploitation of public-facing apps via malformed JSON input directly enables T1190; resulting application crash/panic matches T1499.004 Application or System Exploitation for DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

The Delete function fails to properly validate offsets when processing malformed JSON input. This can lead to a negative slice index and a runtime panic, allowing a denial of service attack.

Deeper analysisAI

CVE-2026-32285 is a vulnerability in the Delete function of the jsonparser library (github.com/buger/jsonparser) for Go. It stems from a failure to properly validate offsets when processing malformed JSON input, resulting in a negative slice index that triggers a runtime panic and enables a denial-of-service condition. The issue is classified under CWE-129 (Improper Validation of Array Index) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting its high availability impact.

Unauthenticated remote attackers can exploit this vulnerability by supplying specially crafted malformed JSON input to applications using the affected jsonparser Delete function. Exploitation requires low complexity and no user interaction, allowing network-based denial of service through induced runtime panics that crash the application.

Mitigation details are available in related advisories, including the Go vulnerability database entry GO-2026-4514 (pkg.go.dev/vuln/GO-2026-4514), the Golang vulndb issue (github.com/golang/vulndb/issues/4514), the jsonparser library issue (github.com/buger/jsonparser/issues/275), and security research from securityinfinity.com/research/buger-jsonparser-negative-slice-panic-dos-2026. Security practitioners should consult these for patch information and update guidance.