The Delete function fails to properly validate offsets when processing malformed JSON input. This can lead to a negative slice index and a runtime panic, allowing a denial of service attack.
PUBLISHED5.2
Denial of service in github.com/buger/jsonparser
Problem type
- CWE-125: Out-of-bounds Read
Affected products
github.com/buger/jsonparser
github.com/buger/jsonparser
References
github.com
https://github.com/buger/jsonparser/issues/275
github.com
https://github.com/golang/vulndb/issues/4514
pkg.go.dev
https://pkg.go.dev/vuln/GO-2026-4514
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-32285Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-32285",
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"dateUpdated": "2026-03-26T19:40:51.837Z",
"dateReserved": "2026-03-11T16:38:46.556Z",
"datePublished": "2026-03-26T19:40:51.837Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go",
"dateUpdated": "2026-03-26T19:40:51.837Z"
},
"title": "Denial of service in github.com/buger/jsonparser",
"descriptions": [
{
"lang": "en",
"value": "The Delete function fails to properly validate offsets when processing malformed JSON input. This can lead to a negative slice index and a runtime panic, allowing a denial of service attack."
}
],
"affected": [
{
"vendor": "github.com/buger/jsonparser",
"product": "github.com/buger/jsonparser",
"collectionURL": "https://pkg.go.dev",
"packageName": "github.com/buger/jsonparser",
"programRoutines": [
{
"name": "Delete"
},
{
"name": "FuzzDelete"
}
],
"defaultStatus": "affected"
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-125: Out-of-bounds Read"
}
]
}
],
"references": [
{
"url": "https://github.com/buger/jsonparser/issues/275"
},
{
"url": "https://github.com/golang/vulndb/issues/4514"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-4514"
}
]
}
}
}