Skip to main content

Tornado CVE-2026-49854

LOW
Buffer Over-read (CWE-126)
2026-06-12 https://github.com/tornadoweb/tornado GHSA-cx3h-4qpv-8hc9
Python Buffer Overflow
3.7
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
3.7 LOW
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
3.7 LOW

Network-reachable via WebSocket but AC:H due to dual prerequisite (C extension active + xsrf_cookies=True); only low confidentiality from 3-byte uninitialized memory leak; no integrity or availability impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 12, 2026 - 18:52 vuln.today
Analysis Generated
Jun 12, 2026 - 18:52 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 pypi packages depend on tornado (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 6.5.6.

DescriptionGitHub Advisory

Summary

Tornado's optional native extension tornado.speedups implements websocket_mask without validating that the mask argument is exactly four bytes long. The C function reads four bytes from mask unconditionally, even when Python passes a shorter byte string. This can read beyond the provided buffer, exposing up to 3 bytes of uninitialized memory.

The behavior is reachable from Tornado's XSRF token decoder when xsrf_cookies=True and the native extension is active.

Mitigations

This bug is fixed in Tornado 6.5.6. Prior to upgrading to this version, setting the environment variable TORNADO_EXTENSION=0 will disable the vulnerable code (at the expense of reducing websocket performance).

AnalysisAI

Out-of-bounds memory read in Tornado's optional C extension tornado.speedups exposes up to 3 bytes of uninitialized memory via a missing length validation in the websocket_mask function. Applications running Tornado versions prior to 6.5.6 with the native extension active and xsrf_cookies=True are reachable from the network without authentication (CVSS AV:N/PR:N), though high attack complexity (AC:H) is indicated by the dual configuration prerequisite. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Tornado instance with speedups extension and xsrf_cookies=True
Delivery
Send WebSocket frame with mask shorter than 4 bytes
Exploit
Trigger websocket_mask C function with undersized buffer
Execution
C function reads beyond allocated mask buffer
Impact
Receive up to 3 bytes of uninitialized process memory
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Two non-default conditions must be simultaneously satisfied: (1) the `tornado.speedups` C extension must be installed (it is an optional build dependency, not included in pure-Python Tornado installs) and the environment variable `TORNADO_EXTENSION` must not be set to `0`; and (2) the Tornado application must be configured with `xsrf_cookies=True` to make the XSRF token decoder code path active. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The official CVSS base score of 3.7 (Low) with vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N accurately reflects the constrained impact: only up to 3 bytes of uninitialized memory can be disclosed per triggering event, and the attack requires two non-default conditions to be simultaneously true (native extension active and xsrf_cookies=True). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends a WebSocket frame containing a mask shorter than four bytes to a Tornado application that has both the `tornado.speedups` C extension installed and `xsrf_cookies=True` enabled. The C `websocket_mask` function reads four bytes from the truncated mask buffer, accessing between one and three bytes of adjacent uninitialized memory and returning them as part of the WebSocket processing output. …
Remediation The primary remediation is upgrading to Tornado 6.5.6, which introduces proper length validation on the `mask` argument in the C extension. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-48039 CRITICAL POC
9.1 Jun 11

Unauthenticated remote attackers can invoke MCP tool handlers and exfiltrate the operator's long-lived Meta Graph API ac
CVE-2026-45833 CRITICAL
9.4 Jun 12

Authenticated remote code execution in ChromaDB Python project versions 0.4.17 and later enables attackers holding the U
CVE-2026-48031 CRITICAL
9.1 Jun 10

Authentication bypass in dhax/go-base Go REST API boilerplate (versions prior to commit cc82b974, merged May 17, 2026) a
CVE-2026-11393 HIGH
8.8 Jun 08

Remote code execution in AWS AgentCore CLI before v0.14.2 allows authenticated attackers to inject Python code via craft
CVE-2026-20251 HIGH
8.8 Jun 10

Remote code execution in Splunk Enterprise, Splunk Cloud Platform, and the Splunk Secure Gateway app allows a low-privil

Share

CVE-2026-49854 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy