CVE-2026-21452

Name of the Vulnerable Software and Affected Versions MessagePack for Java versions prior to 0.9.11

Description A denial-of-service issue exists in MessagePack for Java when processing .msgpack files. Specifically, versions before 0.9.11 are susceptible to unbounded heap allocation when deserializing .msgpack files containing EXT32 objects with attacker-controlled payload lengths. The library trusts the declared EXT payload length during materialization, attempting to allocate a byte array of that size without any upper bound. A small, crafted .msgpack file can trigger JVM heap exhaustion, leading to process termination or service unavailability. This issue is triggered during model loading and deserialization, making it a model format issue suitable for remote exploitation. The attack requires no malformed bytes, user interaction, or elevated privileges and can be exploited remotely.

Recommendations Update MessagePack for Java to version 0.9.11 or later.