{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33666", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T15:23:42.220Z", "datePublished": "2026-04-24T18:21:11.265Z", "dateUpdated": "2026-04-27T13:46:01.833Z"}, "containers": {"cna": {"title": "Zserio: Integer Overflow in BitStreamReader on 32-bit platforms", "problemTypes": [{"descriptions": [{"cweId": "CWE-190", "lang": "en", "description": "CWE-190: Integer Overflow or Wraparound", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/ndsev/zserio/security/advisories/GHSA-fjwv-6wcr-vqwj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ndsev/zserio/security/advisories/GHSA-fjwv-6wcr-vqwj"}], "affected": [{"vendor": "ndsev", "product": "zserio", "versions": [{"version": "<= 2.15.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T18:21:11.265Z"}, "descriptions": [{"lang": "en", "value": "Zserio is a framework for serializing structured data with a compact and efficient way with low overhead. Prior to 2.18.1, in BitStreamReader.h readBytes() / readString(), the setBitPosition() bounds check receives the overflowed value and is completely bypassed. The code then reads len bytes (512 MB) from a buffer that is only a few bytes long, causing a segmentation fault. This vulnerability is fixed in 2.18.1."}], "source": {"advisory": "GHSA-fjwv-6wcr-vqwj", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/ndsev/zserio/security/advisories/GHSA-fjwv-6wcr-vqwj", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-27T13:45:58.519906Z", "id": "CVE-2026-33666", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T13:46:01.833Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33666", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-27T13:45:58.519906Z"}}}], "references": [{"url": "https://github.com/ndsev/zserio/security/advisories/GHSA-fjwv-6wcr-vqwj", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T13:45:47.937Z"}}], "cna": {"title": "Zserio: Integer Overflow in BitStreamReader on 32-bit platforms", "source": {"advisory": "GHSA-fjwv-6wcr-vqwj", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "ndsev", "product": "zserio", "versions": [{"status": "affected", "version": "<= 2.15.0"}]}], "references": [{"url": "https://github.com/ndsev/zserio/security/advisories/GHSA-fjwv-6wcr-vqwj", "name": "https://github.com/ndsev/zserio/security/advisories/GHSA-fjwv-6wcr-vqwj", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Zserio is a framework for serializing structured data with a compact and efficient way with low overhead. Prior to 2.18.1, in BitStreamReader.h readBytes() / readString(), the setBitPosition() bounds check receives the overflowed value and is completely bypassed. The code then reads len bytes (512 MB) from a buffer that is only a few bytes long, causing a segmentation fault. This vulnerability is fixed in 2.18.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-190", "description": "CWE-190: Integer Overflow or Wraparound"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T18:21:11.265Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33666", "state": "PUBLISHED", "dateUpdated": "2026-04-27T13:46:01.833Z", "dateReserved": "2026-03-23T15:23:42.220Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-24T18:21:11.265Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nds-association:zserio:*:*:*:*:*:*:*:*", "matchCriteriaId": "5488B9D1-04B2-459B-BE23-2FF4A91D12CF", "versionEndExcluding": "2.18.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Zserio is a framework for serializing structured data with a compact and efficient way with low overhead. Prior to 2.18.1, in BitStreamReader.h readBytes() / readString(), the setBitPosition() bounds check receives the overflowed value and is completely bypassed. The code then reads len bytes (512 MB) from a buffer that is only a few bytes long, causing a segmentation fault. This vulnerability is fixed in 2.18.1."}], "id": "CVE-2026-33666", "lastModified": "2026-04-28T18:32:02.533", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-24T19:17:10.147", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/ndsev/zserio/security/advisories/GHSA-fjwv-6wcr-vqwj"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/ndsev/zserio/security/advisories/GHSA-fjwv-6wcr-vqwj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-190"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.15.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "zserio", "source": "cna", "vendor": "ndsev"}, "product": "zserio", "vendor": "ndsev"}], "analysis": {"en": {"generated_at": "2026-04-28T13:37:13.179847+00:00", "value": {"mitigation_remediation": ["Update Zserio to version\u202f2.18.1 or newer, which contains the bounds\u2011check fix for BitStreamReader.", "Validate or sanitize any data that will be passed to Zserio\u2019s readBytes() or readString() to ensure the length does not exceed the available buffer size.", "Configure monitoring to detect segmentation faults and automatically restart the affected service, or run the application in a sandboxed environment to contain crashes."], "summary": {"action": "Apply Patch", "impact": "Denial of Service via out\u2011of\u2011bounds read leading to segmentation fault"}, "threat_synthesis": {"affected_systems": "All installations of the Zserio serialization framework from the ndsev repository running a version prior to 2.18.1 are affected. No specific distribution or build is listed, so any build that includes BitStreamReader.h without the patch is vulnerable.", "description_and_impact": "Zserio\u2019s BitStreamReader functions readBytes() and readString() perform a bounds check on the number of bytes to read. On 32\u2011bit platforms the length calculation overflows, causing the check to be bypassed. The code then attempts to read an overflowed 512\u202fMB of data from a buffer that is only a few bytes, resulting in a segmentation fault. The vulnerability does not allow arbitrary code execution or privilege escalation, but any process that uses the vulnerable Zserio library will be vulnerable to a crash that may lead to service disruption.", "risk_and_exploitability": "The CVSS score of 7.5 indicates a high impact if exploited. The EPSS score of less than 1\u202f% suggests modest likelihood of exploitation, which is unsurprising given the local\u2011only nature of the flaw. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker who can supply crafted serialized data to the vulnerable application; the resulting crash can be leveraged to cause a denial of service. Based on the description, the likely attack vector is local, with an adversary injecting malicious input into an application that uses Zserio."}}}}, "created": "2026-04-27T19:52:53.437522+00:00", "updated": "2026-04-28T13:45:06.135461+00:00", "vendors": ["ndsev", "ndsev$PRODUCT$zserio"]}