CVE-2026-35480

CVE-2026-35480 is a medium-severity allocation of resources without limits or throttling vulnerability in github.com/ipld/go-ipld-prime (go), affecting versions < 0.22.0. It is fixed in 0.22.0.

Summary

The DAG-CBOR decoder uses collection sizes declared in CBOR headers as Go preallocation hints for maps and lists. The decoder does not cap these size hints or account for their cost in its allocation budget, allowing small payloads to cause excessive memory allocation.

A CBOR map or list header can declare an arbitrarily large number of entries, causing the decoder to preallocate proportionally large backing structures before any entries are actually read. Because the allocation budget is only decremented as entries are decoded (not when sizes are declared), this cost is effectively invisible to the budget system. This is compounded by nesting: each level of a nested structure triggers its own unchecked preallocation while consuming minimal budget (one entry per parent level), so a payload under 100 bytes with 10 levels of nesting can cause over 9GB of allocation.

Schema-free decoding (i.e. using basicnode.Prototype.Any) allows arbitrary nesting depth. Schema-bound decoding limits nesting to the schema's structure, but any field typed as Any in the schema permits unconstrained nesting within that field.

The fix caps the preallocation size hint to 1024 entries and decrements the allocation budget when collection sizes are declared. The declared length is still used for entry-count validation, and collections grow dynamically as entries are decoded, so correctly-formed data is unaffected, even beyond the preallocation limit.

Impact

The application allocates resources such as memory, threads, or file descriptors based on untrusted input without enforcing a cap. Typical impact: resource exhaustion leading to denial of service.

CVE-2026-35480 has a CVSS score of 6.2 (Medium). The vector is requires local access, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.22.0); upgrading removes the vulnerable code path.

Affected versions

github.com/ipld/go-ipld-prime (< 0.22.0)

Security releases

github.com/ipld/go-ipld-prime → 0.22.0 (go)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade github.com/ipld/go-ipld-prime to 0.22.0 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-35480? CVE-2026-35480 is a medium-severity allocation of resources without limits or throttling vulnerability in github.com/ipld/go-ipld-prime (go), affecting versions < 0.22.0. It is fixed in 0.22.0. The application allocates resources such as memory, threads, or file descriptors based on untrusted input without enforcing a cap.
  2. How severe is CVE-2026-35480? CVE-2026-35480 has a CVSS score of 6.2 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of github.com/ipld/go-ipld-prime are affected by CVE-2026-35480? github.com/ipld/go-ipld-prime (go) versions < 0.22.0 is affected.
  4. Is there a fix for CVE-2026-35480? Yes. CVE-2026-35480 is fixed in 0.22.0. Upgrade to this version or later.
  5. Is CVE-2026-35480 exploitable, and should I be worried? Whether CVE-2026-35480 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-35480 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-35480? Upgrade github.com/ipld/go-ipld-prime to 0.22.0 or later.

Other vulnerabilities in github.com/ipld/go-ipld-prime

CVE-2026-35480CVE-2023-22460

Stop the waste.
Protect your environment with Kodem.