CVE-2026-21452

The 6-Byte JVM Killer: Deep Dive into CVE-2026-21452

Alon Barad
Alon Barad
Software Engineer

Jan 5, 2026·6 min read·6 visits

Executive Summary (TL;DR)

MessagePack-Java (msgpack-java) versions before 0.9.11 blindly trust the declared length of incoming objects. By sending a malicious packet claiming to contain 2GB of data (while actually containing nothing), an attacker can trick the library into attempting a massive immediate memory allocation. This causes an OutOfMemoryError (OOM), crashing the JVM instantly. The fix involves a 'gradual loading' strategy for large objects.

A classic 'Allocation of Resources Without Limits' vulnerability in msgpack-java allows remote attackers to crash Java applications with a tiny, 6-byte payload that triggers massive heap allocations.

Official Patches

MessagePackOfficial Release v0.9.11

Fix Analysis (1)

Technical Appendix

CVSS Score
7.5/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Probability
0.03%
Top 91% most exploited

Affected Systems

Java Applications using msgpack-java < 0.9.11Microservices using MessagePack for RPCData ingestion pipelines processing .msgpack files

Affected Versions Detail

Product
Affected Versions
Fixed Version
msgpack-java
MessagePack
< 0.9.110.9.11
AttributeDetail
CWE IDCWE-789
Attack VectorNetwork
CVSS Score7.5 (High)
Exploit StatusPOC Available
ImpactDenial of Service (OOM)
Fix Version0.9.11

MITRE ATT&CK Mapping

T1499Endpoint Denial of Service
Impact
T1499.003Application or System Exploitation
Impact
CWE-789
Memory Allocation with Excessive Size Value

The product allocates memory based on an untrusted size value, allowing an attacker to cause a denial of service by consuming all available memory.

Known Exploits & Detection

N/AConceptual PoC involves sending EXT32 header with max int length.

Vulnerability Timeline

Vulnerability Disclosed & GHSA Published
2026-01-02
Fix Commit Merged (daa2ea6)
2026-01-02
Version 0.9.11 Released
2026-01-02