Fluid Attacks Database

Description

The Delete function fails to properly validate offsets when processing malformed JSON input. This can lead to a negative slice index and a runtime panic, allowing a denial of service attack.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 14	golang-github-buger-jsonparser	=1.1.1-2 \|\| >=0 <1.1.2-1	1.1.2-1
debian 12	golang-github-buger-jsonparser	=1.1.1-2 \|\| =1.1.2-1	-
go	github.com/buger/jsonparser	>=0 <1.1.2	1.1.2
debian 11	golang-github-buger-jsonparser	=1.1.1-1 \|\| =1.1.1-2 \|\| =1.1.2-1	-
debian 13	golang-github-buger-jsonparser	=1.1.1-2 \|\| =1.1.2-1	-

Aliases

1. CVE-2026-322852. NVD-2026-322853. OSV-DEBIAN-2026-322854. OSV-2026-322855. GCVE-2026-322856. SECURITY-TRACKER-CVE-2026-32285

References

1. https://github.com/buger/jsonparser/issues/2752. https://github.com/golang/vulndb/issues/45143. https://github.com/buger/jsonparser/pull/2764. https://github.com/buger/jsonparser/commit/a69e7e01cd4ad67bdfd3ac2c080b9212af16f4b05. https://github.com/buger/jsonparser/releases/tag/v1.1.26. https://pkg.go.dev/vuln/GO-2026-45147. https://securityinfinity.com/research/buger-jsonparser-negative-slice-panic-dos-2026

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.