CVE-2026-35480
go-ipld-prime: DAG-CBOR decoder unbounded memory allocation from CBOR headers
Description
The DAG-CBOR decoder uses collection sizes declared in CBOR headers as Go preallocation hints for maps and lists. The decoder does not cap these size hints or account for their cost in its allocation budget, allowing small payloads to cause excessive memory allocation. A CBOR map or list header can declare an arbitrarily large number of entries, causing the decoder to preallocate proportionally large backing structures before any entries are actually read. Because the allocation budget is only decremented as entries are decoded (not when sizes are declared), this cost is effectively invisible to the budget system. This is compounded by nesting: each level of a nested structure triggers its own unchecked preallocation while consuming minimal budget (one entry per parent level), so a payload under 100 bytes with 10 levels of nesting can cause over 9GB of allocation. Schema-free decoding (i.e. using `basicnode.Prototype.Any`) allows arbitrary nesting depth. Schema-bound decoding limits nesting to the schema's structure, but any field typed as `Any` in the schema permits unconstrained nesting within that field. The fix caps the preallocation size hint to 1024 entries and decrements the allocation budget when collection sizes are declared. The declared length is still used for entry-count validation, and collections grow dynamically as entries are decoded, so correctly-formed data is unaffected, even beyond the preallocation limit.
How to fix CVE-2026-35480
To remediate CVE-2026-35480, upgrade the affected package to a fixed version below.
- —upgrade to 0.22.0 or later
Is CVE-2026-35480 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 0.22.0