CVE-2026-33524
Published: 24 April 2026
Summary
CVE-2026-33524 is a high-severity Memory Allocation with Excessive Size Value (CWE-789) vulnerability in Nds-Association Zserio. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 17.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the CVE by requiring timely remediation through patching Zserio to version 2.18.1 or later to eliminate the uncontrolled memory allocation flaw.
Implements denial-of-service protections at system entry points to block crafted payloads that trigger massive memory exhaustion and process crashes.
Enforces validation of Zserio serialization inputs to reject malformed payloads that cause uncontrolled memory allocations up to 16 GB.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated crafted payload triggers uncontrolled memory allocation (CWE-789) leading to OOM crash; directly maps to application exploitation for endpoint DoS.
NVD Description
Zserio is a framework for serializing structured data with a compact and efficient way with low overhead. Prior to 2.18.1, a crafted payload as small as 4-5 bytes can force memory allocations of up to 16 GB, crashing any process…
more
with an OOM error (Denial of Service). This vulnerability is fixed in 2.18.1.
Deeper analysisAI
CVE-2026-33524 is a denial-of-service vulnerability in the Zserio framework, which provides compact and efficient serialization of structured data with low overhead. In versions prior to 2.18.1, a crafted payload as small as 4-5 bytes can force memory allocations of up to 16 GB, triggering an out-of-memory (OOM) error that crashes the affected process. The issue is tracked under CWE-789 (Uncontrolled Memory Allocation) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Attackers can exploit this vulnerability remotely over the network without authentication, privileges, or user interaction, requiring only low attack complexity. By delivering the malicious payload to any Zserio-parsing component in a target application, an unauthenticated remote attacker can cause severe memory exhaustion, reliably crashing the process and disrupting service availability.
The vulnerability is fixed in Zserio version 2.18.1. Practitioners should upgrade to this release or later to mitigate the issue. Additional details are available in the GitHub security advisory at https://github.com/ndsev/zserio/security/advisories/GHSA-cwq5-8pvq-j65j.
Details
- CWE(s)