{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33524", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-20T18:05:11.829Z", "datePublished": "2026-04-24T18:18:02.913Z", "dateUpdated": "2026-04-27T13:35:28.660Z"}, "containers": {"cna": {"title": "Zserio: Integer Overflow in BitStreamReader and Unbounded Memory Allocation in Deserialization", "problemTypes": [{"descriptions": [{"cweId": "CWE-789", "lang": "en", "description": "CWE-789: Memory Allocation with Excessive Size Value", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/ndsev/zserio/security/advisories/GHSA-cwq5-8pvq-j65j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ndsev/zserio/security/advisories/GHSA-cwq5-8pvq-j65j"}], "affected": [{"vendor": "ndsev", "product": "zserio", "versions": [{"version": "< 2.18.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T18:18:02.913Z"}, "descriptions": [{"lang": "en", "value": "Zserio is a framework for serializing structured data with a compact and efficient way with low overhead. Prior to 2.18.1, a crafted payload as small as 4-5 bytes can force memory allocations of up to 16 GB, crashing any process with an OOM error (Denial of Service). This vulnerability is fixed in 2.18.1."}], "source": {"advisory": "GHSA-cwq5-8pvq-j65j", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-27T13:20:21.391216Z", "id": "CVE-2026-33524", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T13:35:28.660Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33524", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-27T13:20:21.391216Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T13:20:22.417Z"}}], "cna": {"title": "Zserio: Integer Overflow in BitStreamReader and Unbounded Memory Allocation in Deserialization", "source": {"advisory": "GHSA-cwq5-8pvq-j65j", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "ndsev", "product": "zserio", "versions": [{"status": "affected", "version": "< 2.18.1"}]}], "references": [{"url": "https://github.com/ndsev/zserio/security/advisories/GHSA-cwq5-8pvq-j65j", "name": "https://github.com/ndsev/zserio/security/advisories/GHSA-cwq5-8pvq-j65j", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Zserio is a framework for serializing structured data with a compact and efficient way with low overhead. Prior to 2.18.1, a crafted payload as small as 4-5 bytes can force memory allocations of up to 16 GB, crashing any process with an OOM error (Denial of Service). This vulnerability is fixed in 2.18.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-789", "description": "CWE-789: Memory Allocation with Excessive Size Value"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T18:18:02.913Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33524", "state": "PUBLISHED", "dateUpdated": "2026-04-27T13:35:28.660Z", "dateReserved": "2026-03-20T18:05:11.829Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-24T18:18:02.913Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nds-association:zserio:*:*:*:*:*:*:*:*", "matchCriteriaId": "5488B9D1-04B2-459B-BE23-2FF4A91D12CF", "versionEndExcluding": "2.18.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Zserio is a framework for serializing structured data with a compact and efficient way with low overhead. Prior to 2.18.1, a crafted payload as small as 4-5 bytes can force memory allocations of up to 16 GB, crashing any process with an OOM error (Denial of Service). This vulnerability is fixed in 2.18.1."}], "id": "CVE-2026-33524", "lastModified": "2026-04-28T18:33:01.667", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-24T19:17:09.850", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/ndsev/zserio/security/advisories/GHSA-cwq5-8pvq-j65j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-789"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.18.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "zserio", "source": "cna", "vendor": "ndsev"}, "product": "zserio", "vendor": "ndsev"}], "analysis": {"en": {"generated_at": "2026-04-28T20:00:23.552148+00:00", "value": {"mitigation_remediation": ["Upgrade Zserio to version 2.18.1 or later to apply the official fix", "Restrict deserialization to trusted data sources and implement additional size checks on incoming data to prevent large allocations", "Monitor application memory usage and configure OOM killer thresholds or employ containers with memory limits to mitigate service disruption"], "summary": {"action": "Apply Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all versions of Zserio released before 2.18.1. The framework is distributed by ndsev under the Zserio project. No specific sub\u2011versions are listed, so any install older than 2.18.1 is potentially impacted.", "description_and_impact": "An integer overflow in Zserio's BitStreamReader allows an attacker to craft a 4\u2011to\u20115\u2011byte payload that triggers an unbounded memory allocation during deserialization. The resulting 16\u202fGB allocation causes the host process to crash with an out\u2011of\u2011memory error, denying availability. This flaw falls under CWE\u2011789 (Uncontrolled Memory Allocation).", "risk_and_exploitability": "The CVSS score of 7.5 reflects a high severity for denial of service. The EPSS score of less than 1% indicates that the probability of exploitation at this time is very low, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires that the attacker can supply the crafted payload to the BitStreamReader, which occurs when a process deserializes data from an untrusted source. The attack vector is therefore inferred to be remote or local depending on how the library is used; if the framework is exposed over a network service, the flaw can be triggered remotely."}}}}, "created": "2026-04-28T09:17:54.485367+00:00", "updated": "2026-04-28T20:15:26.776906+00:00", "vendors": ["ndsev", "ndsev$PRODUCT$zserio"]}