GHSA-fpf5-4jw8-67x8

Source

https://github.com/advisories/GHSA-fpf5-4jw8-67x8

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-fpf5-4jw8-67x8/GHSA-fpf5-4jw8-67x8.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-fpf5-4jw8-67x8

Published

2026-05-07T01:54:57Z

Modified

2026-05-07T02:02:17.907769Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

rust-zserio has Unbounded Memory Allocation

Details

Impact

When deserializing arrays, strings or bytes (blob) types zserio first reads the size of the variable, and then allocates sufficient memory to load data. Since the size is always trusted this can be abused by creating a data file with a large size value, causing the zserio runtime to allocate large amounts of memory.

Patches

Please cherry-pick 57f5fb.

Workarounds

Do not accept zserio-encoded messages from non-trusted sources.
Allocate a maximum heap amount to rust-zerio to avoid impacting other applications.

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-07T01:54:57Z",
    "cwe_ids": [
        "CWE-789"
    ],
    "severity": "HIGH",
    "nvd_published_at": null
}

References

Affected packages

crates.io / rust-zserio

Package

Name: rust-zserio; View open source insights on deps.dev
Purl: pkg:cargo/rust-zserio

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.5.4

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-fpf5-4jw8-67x8/GHSA-fpf5-4jw8-67x8.json"

last_known_affected_version_range

"<= 0.5.3"