{"id":"GHSA-fpf5-4jw8-67x8","summary":"rust-zserio has Unbounded Memory Allocation","details":"### Impact\n\nWhen deserializing arrays, strings or bytes (blob) types zserio first reads the size of the variable, and then allocates sufficient memory to load data. Since the size is always trusted this can be abused by creating a data file with a large size value, causing the zserio runtime to allocate large amounts of memory.\n\n### Patches\n\nPlease cherry-pick [57f5fb](https://github.com/Danaozhong/rust-zserio/commit/57f5fb4a2a8611d58dbcc1a9221349206dd99c3c).\n\n### Workarounds\n\n- Do not accept `zserio`-encoded messages from non-trusted sources.\n- Allocate a maximum heap amount to `rust-zerio` to avoid impacting other applications.","modified":"2026-05-07T02:02:17.907769Z","published":"2026-05-07T01:54:57Z","database_specific":{"github_reviewed":true,"severity":"HIGH","cwe_ids":["CWE-789"],"nvd_published_at":null,"github_reviewed_at":"2026-05-07T01:54:57Z"},"references":[{"type":"WEB","url":"https://github.com/Danaozhong/rust-zserio/security/advisories/GHSA-fpf5-4jw8-67x8"},{"type":"WEB","url":"https://github.com/ndsev/zserio/security/advisories/GHSA-cwq5-8pvq-j65j"},{"type":"WEB","url":"https://github.com/Danaozhong/rust-zserio/commit/57f5fb4a2a8611d58dbcc1a9221349206dd99c3c"},{"type":"PACKAGE","url":"https://github.com/Danaozhong/rust-zserio"}],"affected":[{"package":{"name":"rust-zserio","ecosystem":"crates.io","purl":"pkg:cargo/rust-zserio"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.5.4"}]}],"database_specific":{"last_known_affected_version_range":"\u003c= 0.5.3","source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-fpf5-4jw8-67x8/GHSA-fpf5-4jw8-67x8.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}