CVE-2026-33524
Zserio Runtime: Integer Overflow in BitStreamReader and Unbounded Memory Allocation in Deserialization
描述
## Summary ### Unbounded Memory Allocation (all platforms) A crafted payload as small as 4-5 bytes can force memory allocations of up to 16 GB, crashing any process with an OOM error (Denial of Service). **Affected code (C++):** - `cpp/runtime/src/zserio/Array.h` (line 1029) — `m_rawArray.reserve(readLength)` with unchecked `readLength` - `cpp/runtime/src/zserio/BitStreamReader.h` (lines 249, 281) — `value.reserve(len)` with unchecked `len` **Affected code (Java):** - `java/runtime/src/zserio/runtime/array/Array.java` (line 271) — `rawArray.reset(readSize)` → `new int[readSize]` - `java/runtime/src/zserio/runtime/io/ByteArrayBitStreamReader.java` (line 245) — `new byte[length]` ## Proof of Concept ### Memory Allocation DoS (verified on 64-bit) | Payload | Claimed Size | Allocated | Amplification | |---------|-------------|-----------|---------------| | 4 bytes | 100,000,000 | 762 MB | ~200 million x | | 5 bytes | 2,147,483,647 | ~16 GB | system crash | The full PoC source code and Docker build files are available upon request. ## Impact zserio is the serialization framework underlying the **NDS (Navigation Data Standard)**, used by 43 member companies including Toyota, BMW, Volkswagen, Mercedes-Benz, and others. According to the Eclipse zserio project: > "Zserio serialized data is used in millions of deployments in cars on the road" Attack vectors include NDS.Live cloud map updates, map data supply chain compromise, and backend data processing pipelines. On 32-bit automotive ECUs, this could affect ADAS functionality. ## Suggested Fix ### For all runtimes: Validate varsize against stream size ``` if (claimedSize > remainingBytesInStream) { throw error("varsize claims more data than available in stream"); } ``` ## Disclosure Timeline - **2026-03-08:** Reported to Woven by Toyota PSIRT (go-zserio) - **2026-03-10:** Reported to ndsev/zserio maintainers via GitHub Security Advisory - **2026-03-23:** Split off overflow vulnerability to own report - **90-day coordinated disclosure timeline** A patch for this issue is available at https://github.com/ndsev/zserio/releases/tag/v2.18.1. ## Reporter Ryuji Yasukochi ([email protected])
如何修補 CVE-2026-33524
要修補 CVE-2026-33524,請將受影響套件升級到下列已修補版本。
- —升級至 2.18.1 或更新版本
CVE-2026-33524 正在被利用嗎?
低 — EPSS 為 0.1%,目前沒有觀察到大規模利用活動。