Cyber Resilience

CVE-2026-33524

HighPublic PoC

Published: 24 April 2026

Published
24 April 2026
Modified
28 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0008 23.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33524 is a high-severity Memory Allocation with Excessive Size Value (CWE-789) vulnerability in Nds-Association Zserio. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 23.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-33524 is a denial-of-service vulnerability in the Zserio framework, which provides compact and efficient serialization of structured data with low overhead. In versions prior to 2.18.1, a crafted payload as small as 4-5 bytes can force memory allocations of up to 16 GB, triggering an out-of-memory (OOM) error that crashes the affected process. The issue is tracked under CWE-789 (Uncontrolled Memory Allocation) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Attackers can exploit this vulnerability remotely over the network without authentication, privileges, or user interaction, requiring only low attack complexity. By delivering the malicious payload to any Zserio-parsing component in a target application, an unauthenticated remote attacker can cause severe memory exhaustion, reliably crashing the process and disrupting service availability.

The vulnerability is fixed in Zserio version 2.18.1. Practitioners should upgrade to this release or later to mitigate the issue. Additional details are available in the GitHub security advisory at https://github.com/ndsev/zserio/security/advisories/GHSA-cwq5-8pvq-j65j.

EU & UK References

Vulnerability details

Zserio is a framework for serializing structured data with a compact and efficient way with low overhead. Prior to 2.18.1, a crafted payload as small as 4-5 bytes can force memory allocations of up to 16 GB, crashing any process…

more

with an OOM error (Denial of Service). This vulnerability is fixed in 2.18.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote unauthenticated crafted payload triggers uncontrolled memory allocation (CWE-789) leading to OOM crash; directly maps to application exploitation for endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-33666Same product: Nds-Association Zserio
CVE-2026-20048Shared CWE-789
CVE-2026-44375Shared CWE-789
CVE-2026-22026Shared CWE-789
CVE-2025-30211Shared CWE-789
CVE-2026-9538Shared CWE-789
CVE-2026-28253Shared CWE-789
CVE-2026-24158Shared CWE-789
CVE-2026-39312Shared CWE-789
CVE-2026-8485Shared CWE-789

Affected Assets

nds-association
zserio
≤ 2.18.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the CVE by requiring timely remediation through patching Zserio to version 2.18.1 or later to eliminate the uncontrolled memory allocation flaw.

prevent

Implements denial-of-service protections at system entry points to block crafted payloads that trigger massive memory exhaustion and process crashes.

prevent

Enforces validation of Zserio serialization inputs to reject malformed payloads that cause uncontrolled memory allocations up to 16 GB.

References