Skip to main content

Python EUVDEUVD-2026-14478

| CVE-2026-26209 HIGH
Uncontrolled Recursion (CWE-674)
2026-03-23 GitHub_M GHSA-3c37-wwvx-h642
7.5
CVSS 3.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 23, 2026 - 19:00 euvd
EUVD-2026-14478
Analysis Generated
Mar 23, 2026 - 19:00 vuln.today
CVE Published
Mar 23, 2026 - 18:53 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 333 pypi packages depend on cbor2 (74 direct, 261 indirect)

Ecosystem-wide dependent count for version 5.9.0.

DescriptionGitHub Advisory

cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) serialization format. Versions prior to 5.9.0 are vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding deeply nested CBOR structures. This vulnerability affects both the pure Python implementation and the C extension _cbor2. The C extension relies on Python's internal recursion limits Py_EnterRecursiveCall rather than a data-driven depth limit, meaning it still raises RecursionError and crashes the worker process when the limit is hit. While the library handles moderate nesting levels, it lacks a hard depth limit. An attacker can supply a crafted CBOR payload containing approximately 100,000 nested arrays 0x81. When cbor2.loads() attempts to parse this, it hits the Python interpreter's maximum recursion depth or exhausts the stack, causing the process to crash with a RecursionError. Because the library does not enforce its own limits, it allows an external attacker to exhaust the host application's stack resource. In many web application servers (e.g., Gunicorn, Uvicorn) or task queues (Celery), an unhandled RecursionError terminates the worker process immediately. By sending a stream of these small (<100KB) malicious packets, an attacker can repeatedly crash worker processes, resulting in a complete Denial of Service for the application. Version 5.9.0 patches the issue.

AnalysisAI

The cbor2 Python library, which implements CBOR serialization, suffers from uncontrolled recursion when decoding deeply nested CBOR structures, allowing remote attackers to trigger Denial of Service by sending crafted payloads containing approximately 100,000 nested arrays. All versions prior to 5.9.0 are affected, including both the pure Python implementation and the C extension. Attackers can crash worker processes in web servers (Gunicorn, Uvicorn) and task queues (Celery) with small malicious packets under 100KB, causing complete service outages through repeated worker crashes.

Technical ContextAI

cbor2 (CPE: cpe:2.3:a:agronholm:cbor2) is a Python library providing encoding and decoding for CBOR (Concise Binary Object Representation), a binary data serialization format defined in RFC 8949. The vulnerability stems from CWE-674 (Uncontrolled Recursion), where the library fails to enforce a hard depth limit when parsing nested CBOR structures. Both the pure Python implementation and the C extension _cbor2 are affected; the C extension relies on Python's Py_EnterRecursiveCall mechanism rather than implementing its own data-driven depth constraints. When processing deeply nested arrays (marked by CBOR byte 0x81), the recursive decoding calls exhaust either the Python interpreter's recursion limit or the stack memory, resulting in RecursionError exceptions that terminate the process. This vulnerability is triggered during the cbor2.loads() function call when parsing malicious CBOR payloads.

RemediationAI

Upgrade cbor2 to version 5.9.0 or later immediately, as documented in the release notes at https://github.com/agronholm/cbor2/releases/tag/5.9.0. The fix is implemented in commit e61a5f365ba610d5907a0ae1bc72769bba34294b (https://github.com/agronholm/cbor2/commit/e61a5f365ba610d5907a0ae1bc72769bba34294b) and merged via pull request #275 (https://github.com/agronholm/cbor2/pull/275). For environments where immediate patching is not feasible, implement input validation to reject CBOR payloads exceeding a reasonable size threshold (e.g., 50KB) and deploy rate limiting on endpoints accepting CBOR data to mitigate repeated crash attempts. Consider switching to alternative serialization formats (JSON, MessagePack) if CBOR is not strictly required. Review application monitoring to detect and alert on repeated worker crashes that may indicate active exploitation.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Leap 16.0 Fixed
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Server 16.0 Affected
SUSE Linux Enterprise Server 16.0 Fixed
SUSE Linux Enterprise Server 16.1 Fixed

Share

EUVD-2026-14478 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy