CVE-2026-35480

Name of the Vulnerable Software and Affected Versions go-ipld-prime versions prior to 0.22.0

Description go-ipld-prime’s DAG-CBOR decoder does not limit the size of preallocations for maps and lists based on CBOR headers, potentially leading to excessive memory allocation from small payloads. Nested structures can exacerbate this issue, causing allocations exceeding 9GB from payloads under 100 bytes. The decoder uses collection sizes from CBOR headers as preallocation hints for Go maps and lists, without accounting for the cost in its allocation budget.

Recommendations Update to version 0.22.0 or later.