CVE-2026-33666
Published: 24 April 2026
Summary
CVE-2026-33666 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Nds-Association Zserio. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 17.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the integer overflow vulnerability by requiring timely patching or upgrading Zserio to version 2.18.1 or later where the flaw is fixed.
Requires validation and sanitization of deserialization inputs to reject crafted data with overflowed lengths before they bypass bounds checks in readBytes() and readString().
Ensures effective error handling for integer overflows and buffer overreads, preventing segmentation faults and denial-of-service crashes from invalid memory access.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Integer overflow bypasses bounds check in deserializer, causing buffer overread and segfault for remote DoS via application exploitation.
NVD Description
Zserio is a framework for serializing structured data with a compact and efficient way with low overhead. Prior to 2.18.1, in BitStreamReader.h readBytes() / readString(), the setBitPosition() bounds check receives the overflowed value and is completely bypassed. The code then…
more
reads len bytes (512 MB) from a buffer that is only a few bytes long, causing a segmentation fault. This vulnerability is fixed in 2.18.1.
Deeper analysisAI
CVE-2026-33666 is an integer overflow vulnerability (CWE-190) in the Zserio framework, which provides compact and efficient serialization of structured data with low overhead. Versions prior to 2.18.1 are affected, specifically in the BitStreamReader.h file within the readBytes() and readString() functions. There, the setBitPosition() bounds check receives an overflowed value, allowing it to be completely bypassed. This leads the code to attempt reading 512 MB (len bytes) from a buffer that is only a few bytes long, resulting in a segmentation fault. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and was published on 2026-04-24.
The vulnerability can be exploited remotely by unauthenticated attackers with low complexity and no user interaction required. An attacker simply needs to supply crafted input to a Zserio deserializer invoking readBytes() or readString(), triggering the overflowed bounds check bypass and subsequent buffer overread. Successful exploitation causes a segmentation fault, resulting in denial of service via application crash and high impact to availability, though confidentiality and integrity remain unaffected.
According to the GitHub security advisory (GHSA-fjwv-6wcr-vqwj), the vulnerability is fixed in Zserio version 2.18.1. Mitigation involves upgrading to 2.18.1 or later. Additional details are available at https://github.com/ndsev/zserio/security/advisories/GHSA-fjwv-6wcr-vqwj.
Details
- CWE(s)