Buffer Overflow Vulnerability in Zserio Framework by ndsev
CVE-2026-33666

7.5HIGH

Key Information:

Vendor: Ndsev
Status: Zserio
Vendor: CVE Published:; 24 April 2026

What is CVE-2026-33666?

The Zserio Framework, a tool designed for efficient serialization of structured data, contains a buffer overflow vulnerability in its 'readBytes()' and 'readString()' functions prior to version 2.18.1. This issue arises in the BitStreamReader.h file, where the bounds check for the 'setBitPosition()' function fails to properly manage an overflowed value. Consequently, this leads to an attempt to read excessive bytes (up to 512 MB) from a buffer that only accommodates a few bytes. Such improper handling can cause segmentation faults, resulting in application crashes and potential denial of service. Users are encouraged to upgrade to version 2.18.1 or later to mitigate this issue.

Affected Version(s)

zserio <= 2.15.0

References

https://github.com/ndsev/zserio/security/advisories/GHSA-...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 24, 2026
Vulnerability Reserved
Mar 23, 2026

CVE-2026-33666 Data

JSON

Ndsev

What is CVE-2026-33666?

Affected Version(s)

References

CVSS V3.1

Timeline