The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - MessagePack for Java is a serializer implementation for Java. A denial-of-service vulnerability exists in     versions prior to 0.9.11 when deserializing .msgpack files containing EXT32 objects with attacker-     controlled payload lengths. While MessagePack-Java parses extension headers lazily, it later trusts the     declared EXT payload length when materializing the extension data. When ExtensionValue.getData() is     invoked, the library attempts to allocate a byte array of the declared length without enforcing any upper     bound. A malicious .msgpack file of only a few bytes can therefore trigger unbounded heap allocation,     resulting in JVM heap exhaustion, process termination, or service unavailability. This vulnerability is     triggered during model loading / deserialization, making it a model format vulnerability suitable for     remote exploitation. The vulnerability enables a remote denial-of-service attack against applications that     deserialize untrusted .msgpack model files using MessagePack for Java. A specially crafted but     syntactically valid .msgpack file containing an EXT32 object with an attacker-controlled, excessively     large payload length can trigger unbounded memory allocation during deserialization. When the model file     is loaded, the library trusts the declared length metadata and attempts to allocate a byte array of that     size, leading to rapid heap exhaustion, excessive garbage collection, or immediate JVM termination with an     OutOfMemoryError. The attack requires no malformed bytes, user interaction, or elevated privileges and can     be exploited remotely in real-world environments such as model registries, inference services, CI/CD     pipelines, and cloud-based model hosting platforms that accept or fetch .msgpack artifacts. Because the     malicious file is extremely small yet valid, it can bypass basic validation and scanning mechanisms,     resulting in complete service unavailability and potential cascading failures in production systems.
    Version 0.9.11 fixes the vulnerability. (CVE-2026-21452)

Note that Nessus relies on the presence of the package as reported by the vendor.

Detections

Analytics

Linux Distros Unpatched Vulnerability : CVE-2026-21452

high Nessus Plugin ID 281625

Version 1.5

Version 1.4

Version 1.3

Version 1.2

Version 1.1

Version 1.5 Feb 19, 2026, 12:02 PM CVSS temporal metrics ("CVSSv2 temporal vector" set to "CVSS2#E:POC/RL:U/RC:C") CVSS temporal metrics ("CVSSv3 temporal vector" set to "CVSS:3.0/E:P/RL:U/RC:C") Exploit attributes ("Exploit available" set to "True") Exploit attributes ("Exploitability ease" changed from "No known exploits are available" to "Exploits are available") Plugin Feed: 202602191202
Version 1.4 Jan 30, 2026, 10:33 PM Detection (updated detection logic) Plugin metadata Plugin Feed: 202601302233
Version 1.3 Jan 21, 2026, 10:50 AM Plugin metadata Detection (updated detection logic) Plugin Feed: 202601211050
Version 1.2 Jan 5, 2026, 2:31 PM Detection (updated detection logic) Plugin metadata Plugin Feed: 202601051431
Version 1.1 Jan 3, 2026, 4:13 PM New Plugin Feed: 202601031613