Multiple Platforms (C++/Java/Python/Go), Unbounded Memory Allocation, CVE-2026-33524 (Critical)

Listen to this Post

The vulnerability stems from an implicit trust in length values read from serialized data streams across multiple zserio runtime implementations. During deserialization of arrays, strings, and byte blobs, the runtime reads a `varsize` integer to determine how much memory to allocate before loading the actual data. This length value is never validated against the actual remaining bytes in the input stream.
On 64-bit systems, an attacker can craft a payload as small as 4–5 bytes that specifies an arbitrarily large length value. In C++, the unchecked length propagates to `Array.h` on line 1029 (m_rawArray.reserve(readLength)) and `BitStreamReader.h` on lines 249 and 281 (value.reserve(len)). In Java, the flaw appears in `Array.java` on line 271 (rawArray.reset(readSize) → new int

</code>) and `ByteArrayBitStreamReader.java` on line 245 (<code>new byte[bash]</code>).
For example, a 4‑byte payload claiming a size of 100,000,000 triggers a 762 MB allocation—a ~200 million× amplification. A 5‑byte payload claiming 2,147,483,647 forces an allocation of approximately 16 GB, rapidly leading to an out‑of‑memory (OOM) crash and a denial‑of‑service condition. Because the size is trusted without any sanity check against the remaining stream data, this amplification can be weaponized with minimal bandwidth, making the vulnerability both simple to exploit and devastating in impact.

<h2 style="color: blue;">dailycve form:</h2>

Platform: Multiple (C++/Java/Python/Go)
Version: <=2.18.0 (and pre‑0.9.1 in Go)
Vulnerability: Unbounded memory allocation DoS
Severity: Critical (7.5 High CVSSv3)
date: 2026-04-24

<h2 style="color: blue;">Prediction: Patch already released (2026-04-24)</h2>

<h2 style="color: blue;">What Undercode Say:</h2>

This vulnerability is a textbook case of missing input validation in a parsing path; the lack of a bound check against `remainingBytesInStream` before allocation allows a single integer value to dictate system resource consumption. For context:
[bash]
Check if your zserio runtime version is vulnerable
python -c "import zserio; print(zserio.<strong>version</strong>)"
mvn dependency:tree | grep zserio-runtime
Simulate an unchecked allocation on Linux (ulimit to observe OOM behavior)
ulimit -v 1048576
python -c "import array; a = array.array('b', [bash]) 100_000_000"
Minimal PoC concept (illustrative only)
import struct
crafting a malicious stream: [varsize = 2,147,483,647]
malicious = struct.pack('<I', 0x7FFFFFFF) 4 bytes for max 32-bit signed int
In zserio prior to 2.18.1, this will attempt ~16GB allocation

Exploit:

An unauthenticated attacker can deliver a 4‑ to 5‑byte malicious payload via any medium where zserio deserialization occurs—NDS.Live cloud map updates, map data supply chain compromise, backend data processing pipelines, or direct file input. Amplification rates up to ~200 million× are achieved, leading to process termination via OOM on all platforms. On 32-bit automotive ECUs, this could also affect ADAS functionality due to constrained memory resources.

Protection from this CVE:

Update to zserio runtime version 2.18.1 (or Go runtime version 0.9.1). If updating is not immediately possible, implement a wrapper that validates any `varsize` against explicit maximum bounds based on business logic. Do not accept zserio data from non-trusted sources and use secure transport (TLS) to mitigate in-transit tampering. The upstream fix adds a simple guard:

if (claimedSize > remainingBytesInStream) {
throw error("varsize claims more data than available in stream");
}

Impact:

The vulnerability affects the zserio serialization framework underlying the Navigation Data Standard (NDS), used by 43 member companies including Toyota, BMW, Volkswagen, and Mercedes-Benz. As noted by the Eclipse zserio project, “Zserio serialized data is used in millions of deployments in cars on the road.” A successful DoS attack could disrupt navigation and telematics services across an entire fleet.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top