Source: msgpack-java Version: 0.9.6-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for msgpack-java. CVE-2026-21452[0]: | MessagePack for Java is a serializer implementation for Java. A | denial-of-service vulnerability exists in versions prior to 0.9.11 | when deserializing .msgpack files containing EXT32 objects with | attacker-controlled payload lengths. While MessagePack-Java parses | extension headers lazily, it later trusts the declared EXT payload | length when materializing the extension data. When | ExtensionValue.getData() is invoked, the library attempts to | allocate a byte array of the declared length without enforcing any | upper bound. A malicious .msgpack file of only a few bytes can | therefore trigger unbounded heap allocation, resulting in JVM heap | exhaustion, process termination, or service unavailability. This | vulnerability is triggered during model loading / deserialization, | making it a model format vulnerability suitable for remote | exploitation. The vulnerability enables a remote denial-of-service | attack against applications that deserialize untrusted .msgpack | model files using MessagePack for Java. A specially crafted but | syntactically valid .msgpack file containing an EXT32 object with an | attacker-controlled, excessively large payload length can trigger | unbounded memory allocation during deserialization. When the model | file is loaded, the library trusts the declared length metadata and | attempts to allocate a byte array of that size, leading to rapid | heap exhaustion, excessive garbage collection, or immediate JVM | termination with an OutOfMemoryError. The attack requires no | malformed bytes, user interaction, or elevated privileges and can be | exploited remotely in real-world environments such as model | registries, inference services, CI/CD pipelines, and cloud-based | model hosting platforms that accept or fetch .msgpack artifacts. | Because the malicious file is extremely small yet valid, it can | bypass basic validation and scanning mechanisms, resulting in | complete service unavailability and potential cascading failures in | production systems. Version 0.9.11 fixes the vulnerability. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-21452 https://www.cve.org/CVERecord?id=CVE-2026-21452 [1] https://github.com/msgpack/msgpack-java/security/advisories/GHSA-cw39-r4h6-8j3x [2] https://github.com/msgpack/msgpack-java/commit/daa2ea6b2f11f500e22c70a22f689f7a9debdeae Please adjust the affected versions in the BTS as needed. Regards, Salvatore
