GHSA-CWQ5-8PVQ-J65J

Vulnerability from github – Published: 2026-04-24 16:25 – Updated: 2026-05-04 20:08
VLAI
Summary
Zserio Runtime: Integer Overflow in BitStreamReader and Unbounded Memory Allocation in Deserialization
Details

Summary

Unbounded Memory Allocation (all platforms)

A crafted payload as small as 4-5 bytes can force memory allocations of up to 16 GB, crashing any process with an OOM error (Denial of Service).

Affected code (C++): - cpp/runtime/src/zserio/Array.h (line 1029) — m_rawArray.reserve(readLength) with unchecked readLength - cpp/runtime/src/zserio/BitStreamReader.h (lines 249, 281) — value.reserve(len) with unchecked len

Affected code (Java): - java/runtime/src/zserio/runtime/array/Array.java (line 271) — rawArray.reset(readSize)new int[readSize] - java/runtime/src/zserio/runtime/io/ByteArrayBitStreamReader.java (line 245) — new byte[length]

Proof of Concept

Memory Allocation DoS (verified on 64-bit)

Payload Claimed Size Allocated Amplification
4 bytes 100,000,000 762 MB ~200 million x
5 bytes 2,147,483,647 ~16 GB system crash

The full PoC source code and Docker build files are available upon request.

Impact

zserio is the serialization framework underlying the NDS (Navigation Data Standard), used by 43 member companies including Toyota, BMW, Volkswagen, Mercedes-Benz, and others. According to the Eclipse zserio project:

"Zserio serialized data is used in millions of deployments in cars on the road"

Attack vectors include NDS.Live cloud map updates, map data supply chain compromise, and backend data processing pipelines. On 32-bit automotive ECUs, this could affect ADAS functionality.

Suggested Fix

For all runtimes: Validate varsize against stream size

if (claimedSize > remainingBytesInStream) {
    throw error("varsize claims more data than available in stream");
}

Disclosure Timeline

  • 2026-03-08: Reported to Woven by Toyota PSIRT (go-zserio)
  • 2026-03-10: Reported to ndsev/zserio maintainers via GitHub Security Advisory
  • 2026-03-23: Split off overflow vulnerability to own report
  • 90-day coordinated disclosure timeline

A patch for this issue is available at https://github.com/ndsev/zserio/releases/tag/v2.18.1.

Reporter

Ryuji Yasukochi (ryuji.yasu@gmail.com)

Severity
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.18.0"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "io.github.ndsev:zserio-runtime"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.18.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33524"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-789"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-24T16:25:11Z",
    "nvd_published_at": "2026-04-24T19:17:09Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\n### Unbounded Memory Allocation (all platforms)\n\nA crafted payload as small as 4-5 bytes can force memory allocations of up to 16 GB, crashing any process with an OOM error (Denial of Service).\n\n**Affected code (C++):**\n- `cpp/runtime/src/zserio/Array.h` (line 1029) \u2014 `m_rawArray.reserve(readLength)` with unchecked `readLength`\n- `cpp/runtime/src/zserio/BitStreamReader.h` (lines 249, 281) \u2014 `value.reserve(len)` with unchecked `len`\n\n**Affected code (Java):**\n- `java/runtime/src/zserio/runtime/array/Array.java` (line 271) \u2014 `rawArray.reset(readSize)` \u2192 `new int[readSize]`\n- `java/runtime/src/zserio/runtime/io/ByteArrayBitStreamReader.java` (line 245) \u2014 `new byte[length]`\n\n## Proof of Concept\n\n### Memory Allocation DoS (verified on 64-bit)\n\n| Payload | Claimed Size | Allocated | Amplification |\n|---------|-------------|-----------|---------------|\n| 4 bytes | 100,000,000 | 762 MB | ~200 million x |\n| 5 bytes | 2,147,483,647 | ~16 GB | system crash |\n\nThe full PoC source code and Docker build files are available upon request.\n\n## Impact\n\nzserio is the serialization framework underlying the **NDS (Navigation Data Standard)**, used by 43 member companies including Toyota, BMW, Volkswagen, Mercedes-Benz, and others. According to the Eclipse zserio project:\n\n\u003e \"Zserio serialized data is used in millions of deployments in cars on the road\"\n\nAttack vectors include NDS.Live cloud map updates, map data supply chain compromise, and backend data processing pipelines. On 32-bit automotive ECUs, this could affect ADAS functionality.\n\n## Suggested Fix\n\n### For all runtimes: Validate varsize against stream size\n\n```\nif (claimedSize \u003e remainingBytesInStream) {\n    throw error(\"varsize claims more data than available in stream\");\n}\n```\n\n## Disclosure Timeline\n\n- **2026-03-08:** Reported to Woven by Toyota PSIRT (go-zserio)\n- **2026-03-10:** Reported to ndsev/zserio maintainers via GitHub Security Advisory\n- **2026-03-23:** Split off overflow vulnerability to own report\n- **90-day coordinated disclosure timeline**\n\nA patch for this issue is available at https://github.com/ndsev/zserio/releases/tag/v2.18.1.\n\n## Reporter\n\nRyuji Yasukochi (ryuji.yasu@gmail.com)",
  "id": "GHSA-cwq5-8pvq-j65j",
  "modified": "2026-05-04T20:08:28Z",
  "published": "2026-04-24T16:25:11Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ndsev/zserio/security/advisories/GHSA-cwq5-8pvq-j65j"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33524"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ndsev/zserio/commit/a9932de4b5eefb3afd5e18ca2fd758aa744a7c69"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ndsev/zserio"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Zserio Runtime: Integer Overflow in BitStreamReader and Unbounded Memory Allocation in Deserialization"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.