CVE-2022-36078: Binary provides encoding/decoding in Borsh and other formats. The vulnerability is a memory allocation vulnerability that can be exploited to allocate...

Description

Binary provides encoding/decoding in Borsh and other formats. The vulnerability is a memory allocation vulnerability that can be exploited to allocate slices in memory with (arbitrary) excessive size value, which can either exhaust available memory or crash the whole program. When using `github.com/gagliardetto/binary` to parse unchecked (or wrong type of) data from untrusted sources of input (e.g. the blockchain) into slices, it's possible to allocate memory with excessive size. When `dec.Decode(&val)` method is used to parse data into a structure that is or contains slices of values, the length of the slice was previously read directly from the data itself without any checks on the size of it, and then a slice was allocated. This could lead to an overflow and an allocation of memory with excessive size value. Users should upgrade to `v0.7.1` or higher. A workaround is not to rely on the `dec.Decode(&val)` function to parse the data, but to use a custom `UnmarshalWithDecoder()` method that reads and checks the length of any slice.

Metrics

CVSS 3.1

7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Probability

0.91%

55.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Binary Project	Binary	< 0.7.1

References

https://github.com/gagliardetto/binary/pull/7Issue Tracking, Patch, Third Party Advisory
https://github.com/gagliardetto/binary/releases/tag/v0.7.1Release Notes, Third Party Advisory
https://github.com/gagliardetto/binary/security/advisories/GHSA-4p6f-m4f9-ch88Exploit, Mitigation, Third Party Advisory
https://github.com/gagliardetto/binary/pull/7Issue Tracking, Patch, Third Party Advisory
https://github.com/gagliardetto/binary/releases/tag/v0.7.1Release Notes, Third Party Advisory
https://github.com/gagliardetto/binary/security/advisories/GHSA-4p6f-m4f9-ch88Exploit, Mitigation, Third Party Advisory

Timeline

Published: Sep 2, 2022
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2022-36078?

Binary provides encoding/decoding in Borsh and other formats. The vulnerability is a memory allocation vulnerability that can be exploited to allocate slices in memory with (arbitrary) excessive size value, which can either exhaust available memory or crash the whole program. When using `github.com/gagliardetto/binary` to parse unchecked (or wrong type of) data from untrusted sources of input (e.g. the blockchain) into slices, it's possible to allocate memory with excessive size. When `dec.Decode(&val)` method is used to parse data into a structure that is or contains slices of values, the length of the slice was previously read directly from the data itself without any checks on the size of it, and then a slice was allocated. This could lead to an overflow and an allocation of memory with excessive size value. Users should upgrade to `v0.7.1` or higher. A workaround is not to rely on the `dec.Decode(&val)` function to parse the data, but to use a custom `UnmarshalWithDecoder()` method that reads and checks the length of any slice.

How severe is CVE-2022-36078?

CVE-2022-36078 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 0.91% probability of exploitation in the next 30 days.

How do I fix CVE-2022-36078?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.