GHSA-fpf5-4jw8-67x8 HIGH rust/rust-zserio

CVE:

Impact

When deserializing arrays, strings or bytes (blob) types zserio first reads the size of the variable, and then allocates sufficient memory to load data. Since the size is always trusted this can be abused by creating a data file with a large size value, causing the zserio runtime to allocate large amounts of memory.

Patches

Please cherry-pick 57f5fb.

Workarounds

• Do not accept zserio-encoded messages from non-trusted sources.
• Allocate a maximum heap amount to rust-zerio to avoid impacting other applications.

📌 来源: GitHub-Advisory | 📅 2026-05-07