Use After Free Affecting msgpack package, versions >=1.0.0, <1.8.2


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RUBY-MSGPACK-17705230
  • published30 Jun 2026
  • disclosed29 Jun 2026
  • creditpranjalithakur

Introduced: 29 Jun 2026

NewCVE-2026-54522  (opens in a new tab)
CWE-416  (opens in a new tab)

How to fix?

Upgrade msgpack to version 1.8.2 or higher.

Overview

Affected versions of this package are vulnerable to Use After Free in the clear function. An attacker can access or manipulate memory contents from another buffer by triggering the reuse of a memory page after it has been returned to the shared pool, leading to unintended disclosure or modification of data.

CVSS Base Scores

version 4.0
version 3.1