CVE-2026-32285 | THREATINT

Description

The Delete function fails to properly validate offsets when processing malformed JSON input. This can lead to a negative slice index and a runtime panic, allowing a denial of service attack.

PUBLISHED Reserved 2026-03-11 | Published 2026-03-26 | Updated 2026-04-20 | Assigner Go

Problem types

CWE-125: Out-of-bounds Read

Product status

Default status

unaffected

Any version before 1.1.2

affected

References

securityinfinity.com/...parser-negative-slice-panic-dos-2026 exploit

github.com/buger/jsonparser/issues/275

github.com/golang/vulndb/issues/4514

pkg.go.dev/vuln/GO-2026-4514

cve.org (CVE-2026-32285)

nvd.nist.gov (CVE-2026-32285)

Download JSON