GHSA-cwq5-8pvq-j65j

Summary

Unbounded Memory Allocation (all platforms)

A crafted payload as small as 4-5 bytes can force memory allocations of up to 16 GB, crashing any process with an OOM error (Denial of Service).

Affected code (C++):

• cpp/runtime/src/zserio/Array.h (line 1029) — m_rawArray.reserve(readLength) with unchecked readLength
• cpp/runtime/src/zserio/BitStreamReader.h (lines 249, 281) — value.reserve(len) with unchecked len

Affected code (Java):

• java/runtime/src/zserio/runtime/array/Array.java (line 271) — rawArray.reset(readSize) → new int[readSize]
• java/runtime/src/zserio/runtime/io/ByteArrayBitStreamReader.java (line 245) — new byte[length]

Proof of Concept

Memory Allocation DoS (verified on 64-bit)

| Payload | Claimed Size | Allocated | Amplification | |---------|-------------|-----------|---------------| | 4 bytes | 100,000,000 | 762 MB | ~200 million x | | 5 bytes | 2,147,483,647 | ~16 GB | system crash |

The full PoC source code and Docker build files are available upon request.

Impact

zserio is the serialization framework underlying the NDS (Navigation Data Standard), used by 43 member companies including Toyota, BMW, Volkswagen, Mercedes-Benz, and others. According to the Eclipse zserio project:

"Zserio serialized data is used in millions of deployments in cars on the road"

Attack vectors include NDS.Live cloud map updates, map data supply chain compromise, and backend data processing pipelines. On 32-bit automotive ECUs, this could affect ADAS functionality.

Suggested Fix

For all runtimes: Validate varsize against stream size

if (claimedSize > remainingBytesInStream) {
    throw error("varsize claims more data than available in stream");
}

Disclosure Timeline

• 2026-03-08: Reported to Woven by Toyota PSIRT (go-zserio)
• 2026-03-10: Reported to ndsev/zserio maintainers via GitHub Security Advisory
• 2026-03-23: Split off overflow vulnerability to own report -...