Memory Allocation with Excessive Size Value Affecting rust-zserio package, versions <0.5.4

Q: How to fix?

Upgrade rust-zserio to version 0.5.4 or higher.

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-RUST-RUSTZSERIO-16624663
published10 May 2026
disclosed7 May 2026
creditUnknown

Report a new vulnerability Found a mistake?

Introduced: 7 May 2026

NewCWE-789 (opens in a new tab)

How to fix?

Upgrade rust-zserio to version 0.5.4 or higher.

Overview

Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value via the deserialization process. An attacker can cause excessive memory consumption by providing crafted data with large size values, leading to resource exhaustion and potential denial of service.

Workaround

This vulnerability can be mitigated by only accepting encoded messages from trusted sources or by allocating a maximum heap amount to limit memory usage.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
None
Integrity (VI)
None
Availability (VA)
High

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None