VDB
CVE-2026-21452
CVE-2026-21452
PUBLISHED
CVSS 7.5 HIGH
MessagePack for Java Vulnerable to Remote DoS via Malicious EXT Payload Allocation
EPSS 0.03% · 8.5th percentile
Risk Scores
CVSS v3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score
0.03%
8.5th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Maven | org.msgpack:msgpack-core | 0 |
| msgpack | msgpack-java | < 0.9.11 |
| msgpack | messagepack | 0.9.10 |
Timeline
- Dec 29, 2025 CVE ID Reserved
- Jan 2, 2026 CVE Published
- Jan 2, 2026 CVE Updated
- Jan 3, 2026 EPSS Score
- Jan 6, 2026 EPSS Score
- Jan 10, 2026 EPSS Score
- Jan 13, 2026 EPSS Score
- Jan 16, 2026 EPSS Score
- Jan 20, 2026 EPSS Score
- Jan 23, 2026 EPSS Score
- Jan 24, 2026 PoC Published
- Jan 26, 2026 EPSS Score
References
- https://github.com/msgpack/msgpack-java/security/advisories/GHSA-cw39-r4h6-8j3x url
- https://github.com/msgpack/msgpack-java/commit/daa2ea6b2f11f500e22c70a22f689f7a9debdeae url
- https://github.com/msgpack/msgpack-java/releases/tag/v0.9.11 url
- https://nvd.nist.gov/vuln/detail/CVE-2026-21452 advisory
- https://github.com/msgpack/msgpack-java package