Stack Overflow Vulnerability in go-ipld-prime by IPLD
CVE-2026-42328

6.2MEDIUM

Key Information:

Vendor: Ipld
Status: Go-ipld-prime
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-42328?

The go-ipld-prime implementation of the InterPlanetary Linked Data (IPLD) specification contains a vulnerability in its DAG-CBOR and DAG-JSON decoders. Prior to version 0.23.0, these decoders lack a depth limit for recursion when processing nested collections. As a result, providing a payload with deeply nested maps or lists can cause extensive recursion, leading to a stack overflow in the Go runtime. This situation triggers a fatal termination of the process rather than a recoverable panic, posing a significant risk to applications utilizing this library. Upgrading to version 0.23.0 mitigates this vulnerability.

Affected Version(s)

go-ipld-prime < 0.23.0

References

https://github.com/ipld/go-ipld-prime/security/advisories...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.2

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
Apr 26, 2026

CVE-2026-42328 Data

JSON

Ipld

What is CVE-2026-42328?

Affected Version(s)

References

CVSS V3.1

Timeline