CVE-2026-21452
📋 TL;DR
MessagePack for Java versions before 0.9.11 contain a denial-of-service vulnerability where deserializing malicious .msgpack files with specially crafted EXT32 objects triggers unbounded heap allocation. This allows remote attackers to exhaust JVM memory and crash applications. Any Java application that deserializes untrusted MessagePack files using affected versions is vulnerable.
💻 Affected Systems
- MessagePack for Java
📦 What is this software?
Messagepack by Msgpack
⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability with JVM termination due to OutOfMemoryError, potentially causing cascading failures in production systems and extended downtime.
Likely Case
Service disruption through heap exhaustion leading to application crashes, failed requests, and degraded performance until restart.
If Mitigated
Controlled service degradation with monitoring alerts triggering before complete failure, allowing for intervention.
🎯 Exploit Status
Exploitation requires only a small, syntactically valid .msgpack file. No authentication or special privileges needed. Attack can be performed remotely against services accepting MessagePack input.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.9.11
Vendor Advisory: https://github.com/msgpack/msgpack-java/security/advisories/GHSA-cw39-r4h6-8j3x
Restart Required: Yes
Instructions:
1. Update MessagePack for Java dependency to version 0.9.11 or later. 2. Update pom.xml or build.gradle to reference the fixed version. 3. Rebuild and redeploy the application. 4. Restart affected services.
🔧 Temporary Workarounds
Input validation and size limiting
allImplement pre-deserialization validation to reject .msgpack files with suspiciously large extension payloads or implement size limits on input.
JVM heap monitoring and limits
allConfigure JVM with strict heap limits and monitoring to detect and prevent heap exhaustion attacks.
-Xmx<size> to set maximum heap size
-XX:+HeapDumpOnOutOfMemoryError for diagnostics
🧯 If You Can't Patch
- Implement strict input validation to reject .msgpack files from untrusted sources
- Isolate MessagePack deserialization in separate processes with resource limits
🔍 How to Verify
Check if Vulnerable:
Check your project's dependency management file (pom.xml, build.gradle) for MessagePack for Java version. If version is below 0.9.11, you are vulnerable.Check Version:
For Maven: mvn dependency:tree | grep msgpack. For Gradle: gradle dependencies | grep msgpack.Verify Fix Applied:
After updating, verify the installed version is 0.9.11 or higher by checking dependency resolution output or running the application with version logging enabled.📡 Detection & Monitoring
Log Indicators:
- OutOfMemoryError exceptions
- Garbage collection spikes
- Application crashes during deserialization
Network Indicators:
- Small .msgpack file uploads followed by memory spikes
- Requests to deserialization endpoints with MessagePack content
SIEM Query:
source="application.logs" AND ("OutOfMemoryError" OR "heap exhaustion") AND process="java"