Threat Advisory

Zserio Runtime Integer Overflow Vulnerability

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-33524 with a CVSS score of 7.5 is a vulnerability affecting the Zserio Runtime framework, specifically the BitStreamReader and Deserialization components, in versions less than or equal to 2.18.0. An integer overflow in BitStreamReader and unbounded memory allocation in Deserialization can be exploited by sending a crafted payload as small as 4-5 bytes, which forces memory allocations of up to 16 GB, resulting in a Denial of Service (DoS) by crashing any process with an Out of Memory (OOM) error. An attacker can exploit this vulnerability through a network attack vector with low complexity, requiring no privileges and no user interaction. The attacker gains the capability to compromise the availability of the system. Business impact and consequences include DoS attacks on systems using Zserio for serialization, such as NDS.Live cloud map updates, map data supply chain compromise, and backend data processing pipelines, potentially affecting ADAS functionality on 32-bit automotive ECUs. Prerequisites for exploitation include the ability to send a crafted payload through a network attack vector.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-33524 with a CVSS score of 7.5 is a vulnerability affecting the Zserio Runtime framework, specifically the BitStreamReader and Deserialization components, in versions less than or equal to 2.18.0. An integer overflow in BitStreamReader and unbounded memory allocation in Deserialization can be exploited by sending a crafted payload as small as 4-5 bytes, which forces memory allocations of up to 16 GB, resulting in a Denial of Service (DoS) by crashing any process with an Out of Memory (OOM) error. An attacker can exploit this vulnerability through a network attack vector with low complexity, requiring no privileges and no user interaction. The attacker gains the capability to compromise the availability of the system. Business impact and consequences include DoS attacks on systems using Zserio for serialization, such as NDS.Live cloud map updates, map data supply chain compromise, and backend data processing pipelines, potentially affecting ADAS functionality on 32-bit automotive ECUs. Prerequisites for exploitation include the ability to send a crafted payload through a network attack vector.[emaillocker id="1283"]

RECOMMENDATION:

  • We recommend you to update Zserio Runtime to version 2.18.1.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-cwq5-8pvq-j65j

[/emaillocker]
crossmenu