CVE-2026-35480

The DAG-CBOR decoder uses collection sizes declared in CBOR headers as Go preallocation hints for maps and lists. The decoder does not cap these size hints or account for their cost in its allocation budget, allowing small payloads to cause excessive memory allocation.

A CBOR map or list header can declare an arbitrarily large number of entries, causing the decoder to preallocate proportionally large backing structures before any entries are actually read. Because the allocation budget is only decremented as entries are decoded (not when sizes are declared), this cost is effectively invisible to the budget system. This is compounded by nesting: each level of a nested structure triggers its own unchecked preallocation while consuming minimal budget (one entry per parent level), so a payload under 100 bytes with 10 levels of nesting can cause over 9GB of allocation.

Schema-free decoding (i.e. using basicnode.Prototype.Any) allows arbitrary nesting depth. Schema-bound decoding limits nesting to the schema's structure, but any field typed as Any in the schema permits unconstrained nesting within that field.

The fix caps the preallocation size hint to 1024 entries and decrements the allocation budget when collection sizes are declared. The declared length is still used for entry-count validation, and collections grow dynamically as entries are decoded, so correctly-formed data is unaffected, even beyond the preallocation limit.