cvedb.io
CVE-2026-21452
HIGH · CVSS 7.5
EPSS exploitation probability: 0%
Published 2026-01-02T21:16:03.067 · Last modified 2026-06-17T10:18:41.907

Summary

MessagePack for Java is a serializer implementation for Java. A denial-of-service vulnerability exists in versions prior to 0.9.11 when deserializing .msgpack files containing EXT32 objects with attacker-controlled payload lengths. While MessagePack-Java parses extension headers lazily, it later trusts the declared EXT payload length when materializing the extension data. When ExtensionValue.getData() is invoked, the library attempts to allocate a byte array of the declared length without enforcing any upper bound. A malicious .msgpack file of only a few bytes can therefore trigger unbounded heap allocation, resulting in JVM heap exhaustion, process termination, or service unavailability. This vulnerability is triggered during model loading / deserialization, making it a model format vulne

Affected products

msgpack — messagepack

Does this affect you?

Add your gear to cvedb and we'll alert you only when msgpack ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.