CVE-2026-33666 - Vulnerability Details - OpenCVE

Zserio is a framework for serializing structured data with a compact and efficient way with low overhead. Prior to 2.18.1, in BitStreamReader.h readBytes() / readString(), the setBitPosition() bounds check receives the overflowed value and is completely bypassed. The code then reads len bytes (512 MB) from a buffer that is only a few bytes long, causing a segmentation fault. This vulnerability is fixed in 2.18.1.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable yes

Technical Impact partial

Vendors	Products
Ndsev	Zserio

No data.

No data.

References

Link	Providers
https://github.com/ndsev/zserio/security/advisories/GHSA-fjwv-6wcr-vqwj

History

Mon, 27 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Ndsev Ndsev zserio
Vendors & Products		Ndsev Ndsev zserio

Mon, 27 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 24 Apr 2026 18:30:00 +0000

Type	Values Removed	Values Added
Description		Zserio is a framework for serializing structured data with a compact and efficient way with low overhead. Prior to 2.18.1, in BitStreamReader.h readBytes() / readString(), the setBitPosition() bounds check receives the overflowed value and is completely bypassed. The code then reads len bytes (512 MB) from a buffer that is only a few bytes long, causing a segmentation fault. This vulnerability is fixed in 2.18.1.
Title		Zserio: Integer Overflow in BitStreamReader on 32-bit platforms
Weaknesses		CWE-190
References		https://github.com/ndsev/zserio/security/advisories/GHSA-fjwv-6wcr-vqwj
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-24T18:21:11.265Z

Updated: 2026-04-27T13:46:01.833Z

Reserved: 2026-03-23T15:23:42.220Z

Link: CVE-2026-33666

Vulnrichment

Updated: 2026-04-27T13:45:47.937Z

NVD

Status : Awaiting Analysis

Published: 2026-04-24T19:17:10.147

Modified: 2026-04-27T18:57:20.293

Link: CVE-2026-33666

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33666", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T15:23:42.220Z", "datePublished": "2026-04-24T18:21:11.265Z", "dateUpdated": "2026-04-27T13:46:01.833Z"}, "containers": {"cna": {"title": "Zserio: Integer Overflow in BitStreamReader on 32-bit platforms", "problemTypes": [{"descriptions": [{"cweId": "CWE-190", "lang": "en", "description": "CWE-190: Integer Overflow or Wraparound", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/ndsev/zserio/security/advisories/GHSA-fjwv-6wcr-vqwj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ndsev/zserio/security/advisories/GHSA-fjwv-6wcr-vqwj"}], "affected": [{"vendor": "ndsev", "product": "zserio", "versions": [{"version": "<= 2.15.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T18:21:11.265Z"}, "descriptions": [{"lang": "en", "value": "Zserio is a framework for serializing structured data with a compact and efficient way with low overhead. Prior to 2.18.1, in BitStreamReader.h readBytes() / readString(), the setBitPosition() bounds check receives the overflowed value and is completely bypassed. The code then reads len bytes (512 MB) from a buffer that is only a few bytes long, causing a segmentation fault. This vulnerability is fixed in 2.18.1."}], "source": {"advisory": "GHSA-fjwv-6wcr-vqwj", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/ndsev/zserio/security/advisories/GHSA-fjwv-6wcr-vqwj", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-27T13:45:58.519906Z", "id": "CVE-2026-33666", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T13:46:01.833Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33666", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-27T13:45:58.519906Z"}}}], "references": [{"url": "https://github.com/ndsev/zserio/security/advisories/GHSA-fjwv-6wcr-vqwj", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T13:45:47.937Z"}}], "cna": {"title": "Zserio: Integer Overflow in BitStreamReader on 32-bit platforms", "source": {"advisory": "GHSA-fjwv-6wcr-vqwj", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "ndsev", "product": "zserio", "versions": [{"status": "affected", "version": "<= 2.15.0"}]}], "references": [{"url": "https://github.com/ndsev/zserio/security/advisories/GHSA-fjwv-6wcr-vqwj", "name": "https://github.com/ndsev/zserio/security/advisories/GHSA-fjwv-6wcr-vqwj", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Zserio is a framework for serializing structured data with a compact and efficient way with low overhead. Prior to 2.18.1, in BitStreamReader.h readBytes() / readString(), the setBitPosition() bounds check receives the overflowed value and is completely bypassed. The code then reads len bytes (512 MB) from a buffer that is only a few bytes long, causing a segmentation fault. This vulnerability is fixed in 2.18.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-190", "description": "CWE-190: Integer Overflow or Wraparound"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T18:21:11.265Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33666", "state": "PUBLISHED", "dateUpdated": "2026-04-27T13:46:01.833Z", "dateReserved": "2026-03-23T15:23:42.220Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-24T18:21:11.265Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}