{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32285", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2026-03-11T16:38:46.556Z", "datePublished": "2026-03-26T19:40:51.837Z", "dateUpdated": "2026-03-30T14:55:19.026Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2026-03-26T19:40:51.837Z"}, "title": "Denial of service in github.com/buger/jsonparser", "descriptions": [{"lang": "en", "value": "The Delete function fails to properly validate offsets when processing malformed JSON input. This can lead to a negative slice index and a runtime panic, allowing a denial of service attack."}], "affected": [{"vendor": "github.com/buger/jsonparser", "product": "github.com/buger/jsonparser", "collectionURL": "https://pkg.go.dev", "packageName": "github.com/buger/jsonparser", "programRoutines": [{"name": "Delete"}, {"name": "FuzzDelete"}], "defaultStatus": "affected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-125: Out-of-bounds Read"}]}], "references": [{"url": "https://github.com/buger/jsonparser/issues/275"}, {"url": "https://github.com/golang/vulndb/issues/4514"}, {"url": "https://pkg.go.dev/vuln/GO-2026-4514"}]}, "adp": [{"references": [{"url": "https://securityinfinity.com/research/buger-jsonparser-negative-slice-panic-dos-2026", "tags": ["exploit"]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T14:05:55.547828Z", "id": "CVE-2026-32285", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T14:55:19.026Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32285", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T14:05:55.547828Z"}}}], "references": [{"url": "https://securityinfinity.com/research/buger-jsonparser-negative-slice-panic-dos-2026", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T14:06:20.581Z"}}], "cna": {"title": "Denial of service in github.com/buger/jsonparser", "affected": [{"vendor": "github.com/buger/jsonparser", "product": "github.com/buger/jsonparser", "packageName": "github.com/buger/jsonparser", "collectionURL": "https://pkg.go.dev", "defaultStatus": "affected", "programRoutines": [{"name": "Delete"}, {"name": "FuzzDelete"}]}], "references": [{"url": "https://github.com/buger/jsonparser/issues/275"}, {"url": "https://github.com/golang/vulndb/issues/4514"}, {"url": "https://pkg.go.dev/vuln/GO-2026-4514"}], "descriptions": [{"lang": "en", "value": "The Delete function fails to properly validate offsets when processing malformed JSON input. This can lead to a negative slice index and a runtime panic, allowing a denial of service attack."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-125: Out-of-bounds Read"}]}], "providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2026-03-26T19:40:51.837Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32285", "state": "PUBLISHED", "dateUpdated": "2026-03-30T14:55:19.026Z", "dateReserved": "2026-03-11T16:38:46.556Z", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "datePublished": "2026-03-26T19:40:51.837Z", "assignerShortName": "Go"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Delete function fails to properly validate offsets when processing malformed JSON input. This can lead to a negative slice index and a runtime panic, allowing a denial of service attack."}, {"lang": "es", "value": "La funci\u00f3n Eliminar no valida correctamente los desplazamientos al procesar una entrada JSON malformada. Esto puede provocar un \u00edndice de segmento negativo y un p\u00e1nico en tiempo de ejecuci\u00f3n, permitiendo un ataque de denegaci\u00f3n de servicio."}], "id": "CVE-2026-32285", "lastModified": "2026-03-30T15:16:27.963", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-26T20:16:12.197", "references": [{"source": "security@golang.org", "url": "https://github.com/buger/jsonparser/issues/275"}, {"source": "security@golang.org", "url": "https://github.com/golang/vulndb/issues/4514"}, {"source": "security@golang.org", "url": "https://pkg.go.dev/vuln/GO-2026-4514"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://securityinfinity.com/research/buger-jsonparser-negative-slice-panic-dos-2026"}], "sourceIdentifier": "security@golang.org", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "github.com/buger/jsonparser: github.com/buger/jsonparser: Denial of Service via malformed JSON input", "id": "2451846", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451846"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-1285", "details": ["The Delete function fails to properly validate offsets when processing malformed JSON input. This can lead to a negative slice index and a runtime panic, allowing a denial of service attack.", "A flaw was found in github.com/buger/jsonparser. The Delete function, when processing malformed JSON input, fails to properly validate offsets. This vulnerability can lead to a negative slice index and a runtime panic, allowing a remote attacker to cause a denial of service (DoS) by providing specially crafted JSON data."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-32285", "package_state": [{"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Affected", "package_name": "openshift-logging/logging-loki-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Affected", "package_name": "openshift-logging/loki-operator-bundle", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Affected", "package_name": "openshift-logging/loki-rhel9-operator", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Affected", "package_name": "openshift-logging/lokistack-gateway-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Affected", "package_name": "openshift-logging/opa-openshift-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:6", "fix_state": "Affected", "package_name": "openshift-logging/logging-loki-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:6", "fix_state": "Affected", "package_name": "openshift-logging/loki-rhel9-operator", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Affected", "package_name": "multicluster-engine/assisted-service-8-rhel8", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Affected", "package_name": "multicluster-engine/assisted-service-9-rhel9", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:multicluster_globalhub", "fix_state": "Affected", "package_name": "multicluster-globalhub/multicluster-globalhub-grafana-rhel9", "product_name": "Multicluster Global Hub"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Affected", "package_name": "rhacm2/acm-grafana-rhel9", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "ansible-automation-platform/platform-operator-bundle", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "cri-tools", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/container-networking-plugins-microshift-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/oc-mirror-plugin-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-agent-installer-api-server-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-agent-installer-api-server-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-container-networking-plugins-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Affected", "package_name": "rhosdt/tempo-query-rhel9", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Affected", "package_name": "rhosdt/tempo-rhel9", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:windows_machine_config", "fix_state": "Affected", "package_name": "openshift4-wincw/windows-machine-config-operator-bundle", "product_name": "Red Hat OpenShift for Windows Containers"}, {"cpe": "cpe:/a:redhat:windows_machine_config", "fix_state": "Affected", "package_name": "openshift4-wincw/windows-machine-config-rhel9-operator", "product_name": "Red Hat OpenShift for Windows Containers"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Affected", "package_name": "openshift-gitops-1/argocd-rhel8", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Affected", "package_name": "openshift-gitops-1/argocd-rhel9", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openstack:18.0", "fix_state": "Affected", "package_name": "rhoso-operators/openstack-operator-bundle", "product_name": "Red Hat OpenStack Platform 18.0"}], "public_date": "2026-03-26T19:40:51Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-32285\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-32285\nhttps://github.com/buger/jsonparser/issues/275\nhttps://github.com/golang/vulndb/issues/4514\nhttps://pkg.go.dev/vuln/GO-2026-4514"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "github.com/buger/jsonparser", "source": "cna", "vendor": "github.com/buger/jsonparser"}, "product": "jsonparser", "vendor": "buger"}], "analysis": {"en": {"generated_at": "2026-03-28T14:50:21.681601+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest release of github.com/buger/jsonparser that includes the offset validation fix", "If an update cannot be applied immediately, avoid using the Delete function with untrusted or externally supplied JSON", "Add defensive checks in your application to catch potential panics or validate JSON before passing it to the library", "Monitor application logs for panic events and ensure graceful error handling"], "summary": {"action": "Immediate Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "All releases of github.com/buger/jsonparser prior to the published fix are affected. Projects that embed the Delete function and accept untrusted JSON may be vulnerable. Based on the description, it is inferred that all releases before the fix are affected, and the exact version range is not specified in the advisory, so users should refer to the library\u2019s release notes for the patched version.", "description_and_impact": "The Delete function in the jsonparser Go library incorrectly handles offset values when parsing malformed JSON, allowing a negative slice index that triggers a runtime panic. This panic terminates the program, resulting in a denial of service. The faulty logic stems from improper input validation associated with CWE-1285.", "risk_and_exploitability": "The vulnerability has a CVSS base score of 7.5, indicating high impact. EPSS score is less than 1%, suggesting low probability of exploitation. It is not listed in the CISA KEV catalog. The faulty Delete function can be triggered by supplying crafted malformed JSON to any interface that uses the function. Based on the description, it is inferred that an attacker could cause a crash without needing elevated privileges."}}}}, "created": "2026-03-27T08:32:25.636149+00:00", "updated": "2026-03-29T20:27:52.712339+00:00", "vendors": ["buger", "buger$PRODUCT$jsonparser"]}