CVE-2026-21452: MessagePack for Java is a serializer implementation for Java. A denial-of-service vulnerability exists in versions prior
Summary
MessagePack for Java has a denial-of-service vulnerability in versions before 0.9.11 where specially crafted .msgpack files can trick the library into allocating massive amounts of memory. When the library deserializes (reads and converts) these files, it blindly trusts the size information in EXT32 objects (an extension data type) and tries to allocate a byte array matching that size, which can be impossibly large, causing the Java program to run out of memory and crash.
Solution / Mitigation
Update to version 0.9.11 or later, which fixes the vulnerability.
Vulnerability Details
7.5(high)
EPSS: 0.0%
Classification
Related Issues
CVE-2022-29200: TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implem
CVE-2021-29541: TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a dereference of a null p
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-21452
First tracked: February 15, 2026 at 08:53 PM
Classified by LLM (prompt v3) · confidence: 92%