x/vulndb: potential Go vuln in github.com/shamaton/msgpack

[athuljayaram]

Acknowledgement

• The maintainer(s) of the affected project have already been made aware of this vulnerability.

Description

Panic via out-of-bounds read in the ext/time decoder when given a
truncated fixext input. Any fixext format byte (0xd4–0xd8) sent
without its required body bytes causes ReadSize1 (ext/decode.go:33)
to read buf[1] from a slice of length 1, triggering an immediate
panic. Affects all decode APIs: Unmarshal, UnmarshalAsMap,
UnmarshalAsArray. Both v2 and v3 major versions are affected.
Discovered via Go's built-in fuzzer in under 1 second.

Affected Modules, Packages, Versions and Symbols

Module: github.com/shamaton/msgpack/v2
  Package: github.com/shamaton/msgpack/v2
  Versions:
    - Fixed: unknown (not yet patched)
  Symbols:
    - Unmarshal
    - UnmarshalAsMap
    - UnmarshalAsArray

  Module: github.com/shamaton/msgpack/v3
  Package: github.com/shamaton/msgpack/v3
  Versions:
    - Fixed: unknown (not yet patched)
  Symbols:
    - Unmarshal
    - UnmarshalAsMap

CVE/GHSA ID

No response

Fix Commit or Pull Request

No response

References

shamaton/msgpack#59
https://securityinfinity.com/research/shamaton-msgpack-oob-panic-fixext-dos-2026

Additional information

Prior related CVE: CVE-2022-41719 patched panic-on-malformed-input
in an earlier version. This is a regression - the ext/time decoder
path was not covered by that fix. Minimal crasher: single byte 0xd6.

[gopherbot]

Change https://go.dev/cl/755165 mentions this issue: data/reports: add GO-2026-4513