PatchSiren cyber security CVE debrief
CVE-2026-42328 ipld CVE debrief
CVE-2026-42328 is a stack exhaustion vulnerability in go-ipld-prime, a Go implementation of the InterPlanetary Linked Data (IPLD) specification. The DAG-CBOR and DAG-JSON decoders in versions prior to 0.23.0 recursively process nested maps and lists without enforcing a depth limit. A maliciously crafted payload with deeply nested collections causes unbounded stack growth, leading to a fatal stack overflow that terminates the process. This is distinct from a recoverable panic and cannot be caught by standard error handling. The vulnerability is classified as CWE-674 (Uncontrolled Recursion). The issue was published on 2026-05-27 and is fixed in go-ipld-prime version 0.23.0.
- Vendor
- ipld
- Product
- go-ipld-prime
- CVSS
- MEDIUM 6.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
Organizations running services that process untrusted IPLD data using go-ipld-prime, particularly those exposed to external input via IPFS gateways, content routing systems, or peer-to-peer networks. Developers building applications on IPLD stacks including Filecoin, IPFS, or libp2p-based systems should prioritize patching.
Technical summary
The go-ipld-prime library provides IPLD codec implementations for CBOR and JSON. Prior to version 0.23.0, the DAG-CBOR and DAG-JSON decoders use recursive function calls to process nested data structures (maps and lists) without limiting recursion depth. When processing a payload with excessive nesting levels, each recursive call consumes additional stack space. Go's goroutine stack starts small and grows dynamically, but has a maximum size (typically 1GB on 64-bit systems). Once this limit is exceeded, the Go runtime terminates the process with a fatal runtime error: stack overflow, which cannot be recovered via defer/recover mechanisms. This represents an uncontrolled recursion condition (CWE-674) resulting in denial of service. The fix in version 0.23.0 introduces a configurable depth limit to bound recursion.
Defensive priority
medium
Recommended defensive actions
- Upgrade go-ipld-prime to version 0.23.0 or later to obtain the depth limit fix
- Implement input size and nesting depth validation for untrusted IPLD payloads before decoding
- Monitor application logs for unexpected process terminations that may indicate exploitation attempts
- Consider sandboxing or resource limits for services processing untrusted IPLD data
- Review dependent applications for indirect exposure through go-ipld-prime usage
Evidence notes
The vulnerability description and fix version are sourced from the official CVE record and GitHub Security Advisory. The CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) indicates local attack vector with high availability impact, consistent with a denial-of-service condition via stack exhaustion.
Official resources
-
CVE-2026-42328 CVE record
CVE.org
-
CVE-2026-42328 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-27