CVE-2026-33666 HIGH

CVE-2026-33666: Zserio: Integer Overflow in BitStreamReader on 32-bit platforms

Vendor Ndsev
Product zserio
Weakness CWE-190
Published April 24, 2026
Last update April 27, 2026

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

Zserio is a framework for serializing structured data with a compact and efficient way with low overhead. Prior to 2.18.1, in BitStreamReader.h readBytes() / readString(), the setBitPosition() bounds check receives the overflowed value and is completely bypassed. The code then reads len bytes (512 MB) from a buffer that is only a few bytes long, causing a segmentation fault. This vulnerability is fixed in 2.18.1.

Key dates

02Disclosure timeline

April 24, 2026 CVE published
April 27, 2026 Record updated