CVE-2026-21452: MessagePack for Java Vulnerable to Remote DoS via Malicious EXT Payload Allocation
Affected Components:
org.msgpack.core.MessageUnpacker.readPayload()
org.msgpack.core.MessageUnpacker.unpackValue()
org.msgpack.value.ExtensionValue.getData()
A denial-of-service vulnerability exists in MessagePack for Java when deserializing .msgpack files containing EXT32 objects with attacker-controlled payload lengths. While MessagePack-Java parses extension headers lazily, it later trusts the declared EXT payload length when materializing the extension data. When ExtensionValue.getData() is invoked, the library attempts to allocate a byte array of the declared length without enforcing any upper bound. A malicious .msgpack file of only a few bytes can therefore trigger unbounded heap allocation, resulting in JVM heap exhaustion, process termination, or service unavailability. This vulnerability is triggered during model loading / deserialization, making it a model format vulnerability suitable for remote exploitation.
References
- github.com/advisories/GHSA-cw39-r4h6-8j3x
- github.com/msgpack/msgpack-java
- github.com/msgpack/msgpack-java/commit/daa2ea6b2f11f500e22c70a22f689f7a9debdeae
- github.com/msgpack/msgpack-java/releases/tag/v0.9.11
- github.com/msgpack/msgpack-java/security/advisories/GHSA-cw39-r4h6-8j3x
- nvd.nist.gov/vuln/detail/CVE-2026-21452
Code Behaviors & Features
Detect and mitigate CVE-2026-21452 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →