GHSA-fpf5-4jw8-67x8: rust-zserio has Unbounded Memory Allocation

May 7, 2026

When deserializing arrays, strings or bytes (blob) types zserio first reads the size of the variable, and then allocates sufficient memory to load data. Since the size is always trusted this can be abused by creating a data file with a large size value, causing the zserio runtime to allocate large amounts of memory.

References

github.com/Danaozhong/rust-zserio
github.com/Danaozhong/rust-zserio/commit/57f5fb4a2a8611d58dbcc1a9221349206dd99c3c
github.com/Danaozhong/rust-zserio/security/advisories/GHSA-fpf5-4jw8-67x8
github.com/advisories/GHSA-fpf5-4jw8-67x8
github.com/ndsev/zserio/security/advisories/GHSA-cwq5-8pvq-j65j

Code Behaviors & Features

Detect and mitigate GHSA-fpf5-4jw8-67x8 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →