Zserio DoS: Crafted Payload Triggers Massive Memory Allocation
The National Vulnerability Database has disclosed CVE-2026-33524, affecting Zserio, a data serialization framework. This vulnerability allows an unauthenticated attacker to trigger a denial of service (DoS) by sending a small, crafted payload. National Vulnerability Database analysis indicates that a mere 4-5 bytes can force Zserio to allocate up to 16 GB of memory, inevitably causing an Out-Of-Memory (OOM) error and crashing the process.
This high-severity flaw, rated 7.5 CVSS (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), stems from improper resource management (CWE-789). While specific affected products are not detailed, any system leveraging Zserio prior to version 2.18.1 is vulnerable. The simplicity of the attack — a small, unauthenticated network-based payload — makes it a critical concern for defenders, as it requires minimal attacker sophistication to achieve a full system crash.
Organizations running Zserio in their infrastructure must prioritize patching to version 2.18.1 immediately. The attacker’s calculus here is straightforward: cheap, effective disruption. This isn’t about data exfiltration; it’s about taking systems offline with minimal effort, which can be devastating for critical services. Defending against such a low-effort attack demands rapid remediation.
What This Means For You
- If your organization uses Zserio for data serialization, you are directly exposed to a trivial denial-of-service attack. Check your Zserio versions immediately and patch to 2.18.1 to prevent unauthenticated attackers from crashing your systems.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-33524 - Zserio Crafted Payload Memory Allocation
title: CVE-2026-33524 - Zserio Crafted Payload Memory Allocation
id: scw-2026-04-24-ai-1
status: experimental
level: high
description: |
Detects attempts to exploit CVE-2026-33524 by looking for specific URI paths and query parameters indicative of a crafted Zserio payload designed to trigger excessive memory allocation.
author: SCW Feed Engine (AI-generated)
date: 2026-04-24
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-33524/
tags:
- attack.impact
- attack.t1499
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- 'zserio_payload_size'
cs-uri|contains:
- '/zserio_deserialize'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-33524 | DoS | Zserio framework versions prior to 2.18.1 |
| CVE-2026-33524 | DoS | Memory Allocation Exhaustion via crafted payload (4-5 bytes) |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 24, 2026 at 22:17 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
Daily Security Digest — 2026-04-24
12 vulnerability disclosures (3 Critical, 9 High) and 3 curated intelligence stories from 2 sources.
Dgraph CVE-2026-41492: Unauthenticated Admin Token Exposure Via /debug/vars
CVE-2026-41492 — Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, Dgraphl exposes the process command line through the unauthenticated /debug/vars endpoint on...
CVE-2026-41421: SiYuan Desktop RCE via HTML Notification Abuse
CVE-2026-41421 — SiYuan is an open-source personal knowledge management system. Prior to 3.6.5, SiYuan desktop renders notification messages as raw HTML inside an Electron renderer....