{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26209", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-11T19:56:24.814Z", "datePublished": "2026-03-23T18:53:10.268Z", "dateUpdated": "2026-03-24T18:35:35.486Z"}, "containers": {"cna": {"title": "cbor2 has a Denial of Service via Uncontrolled Recursion in cbor2.loads", "problemTypes": [{"descriptions": [{"cweId": "CWE-674", "lang": "en", "description": "CWE-674: Uncontrolled Recursion", "type": "CWE"}]}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}}], "references": [{"name": "https://github.com/agronholm/cbor2/security/advisories/GHSA-3c37-wwvx-h642", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/agronholm/cbor2/security/advisories/GHSA-3c37-wwvx-h642"}, {"name": "https://github.com/agronholm/cbor2/pull/275", "tags": ["x_refsource_MISC"], "url": "https://github.com/agronholm/cbor2/pull/275"}, {"name": "https://github.com/agronholm/cbor2/commit/e61a5f365ba610d5907a0ae1bc72769bba34294b", "tags": ["x_refsource_MISC"], "url": "https://github.com/agronholm/cbor2/commit/e61a5f365ba610d5907a0ae1bc72769bba34294b"}, {"name": "https://github.com/agronholm/cbor2/releases/tag/5.9.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/agronholm/cbor2/releases/tag/5.9.0"}], "affected": [{"vendor": "agronholm", "product": "cbor2", "versions": [{"version": "< 5.9.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T18:53:10.268Z"}, "descriptions": [{"lang": "en", "value": "cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) serialization format. Versions prior to 5.9.0 are vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding deeply nested CBOR structures. This vulnerability affects both the pure Python implementation and the C extension `_cbor2`. The C extension relies on Python's internal recursion limits `Py_EnterRecursiveCall` rather than a data-driven depth limit, meaning it still raises `RecursionError` and crashes the worker process when the limit is hit. While the library handles moderate nesting levels, it lacks a hard depth limit. An attacker can supply a crafted CBOR payload containing approximately 100,000 nested arrays `0x81`. When `cbor2.loads()` attempts to parse this, it hits the Python interpreter's maximum recursion depth or exhausts the stack, causing the process to crash with a `RecursionError`. Because the library does not enforce its own limits, it allows an external attacker to exhaust the host application's stack resource. In many web application servers (e.g., Gunicorn, Uvicorn) or task queues (Celery), an unhandled `RecursionError` terminates the worker process immediately. By sending a stream of these small (<100KB) malicious packets, an attacker can repeatedly crash worker processes, resulting in a complete Denial of Service for the application. Version 5.9.0 patches the issue."}], "source": {"advisory": "GHSA-3c37-wwvx-h642", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T18:35:22.617238Z", "id": "CVE-2026-26209", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T18:35:35.486Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26209", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-24T18:35:22.617238Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T18:35:32.452Z"}}], "cna": {"title": "cbor2 has a Denial of Service via Uncontrolled Recursion in cbor2.loads", "source": {"advisory": "GHSA-3c37-wwvx-h642", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_0": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "agronholm", "product": "cbor2", "versions": [{"status": "affected", "version": "< 5.9.0"}]}], "references": [{"url": "https://github.com/agronholm/cbor2/security/advisories/GHSA-3c37-wwvx-h642", "name": "https://github.com/agronholm/cbor2/security/advisories/GHSA-3c37-wwvx-h642", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/agronholm/cbor2/pull/275", "name": "https://github.com/agronholm/cbor2/pull/275", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/agronholm/cbor2/commit/e61a5f365ba610d5907a0ae1bc72769bba34294b", "name": "https://github.com/agronholm/cbor2/commit/e61a5f365ba610d5907a0ae1bc72769bba34294b", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/agronholm/cbor2/releases/tag/5.9.0", "name": "https://github.com/agronholm/cbor2/releases/tag/5.9.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) serialization format. Versions prior to 5.9.0 are vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding deeply nested CBOR structures. This vulnerability affects both the pure Python implementation and the C extension `_cbor2`. The C extension relies on Python's internal recursion limits `Py_EnterRecursiveCall` rather than a data-driven depth limit, meaning it still raises `RecursionError` and crashes the worker process when the limit is hit. While the library handles moderate nesting levels, it lacks a hard depth limit. An attacker can supply a crafted CBOR payload containing approximately 100,000 nested arrays `0x81`. When `cbor2.loads()` attempts to parse this, it hits the Python interpreter's maximum recursion depth or exhausts the stack, causing the process to crash with a `RecursionError`. Because the library does not enforce its own limits, it allows an external attacker to exhaust the host application's stack resource. In many web application servers (e.g., Gunicorn, Uvicorn) or task queues (Celery), an unhandled `RecursionError` terminates the worker process immediately. By sending a stream of these small (<100KB) malicious packets, an attacker can repeatedly crash worker processes, resulting in a complete Denial of Service for the application. Version 5.9.0 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-674", "description": "CWE-674: Uncontrolled Recursion"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T18:53:10.268Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26209", "state": "PUBLISHED", "dateUpdated": "2026-03-24T18:35:35.486Z", "dateReserved": "2026-02-11T19:56:24.814Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-23T18:53:10.268Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) serialization format. Versions prior to 5.9.0 are vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding deeply nested CBOR structures. This vulnerability affects both the pure Python implementation and the C extension `_cbor2`. The C extension relies on Python's internal recursion limits `Py_EnterRecursiveCall` rather than a data-driven depth limit, meaning it still raises `RecursionError` and crashes the worker process when the limit is hit. While the library handles moderate nesting levels, it lacks a hard depth limit. An attacker can supply a crafted CBOR payload containing approximately 100,000 nested arrays `0x81`. When `cbor2.loads()` attempts to parse this, it hits the Python interpreter's maximum recursion depth or exhausts the stack, causing the process to crash with a `RecursionError`. Because the library does not enforce its own limits, it allows an external attacker to exhaust the host application's stack resource. In many web application servers (e.g., Gunicorn, Uvicorn) or task queues (Celery), an unhandled `RecursionError` terminates the worker process immediately. By sending a stream of these small (<100KB) malicious packets, an attacker can repeatedly crash worker processes, resulting in a complete Denial of Service for the application. Version 5.9.0 patches the issue."}, {"lang": "es", "value": "cbor2 proporciona codificaci\u00f3n y decodificaci\u00f3n para el formato de serializaci\u00f3n Concise Binary Object Representation (CBOR). Las versiones anteriores a la 5.9.0 son vulnerables a un ataque de denegaci\u00f3n de servicio (DoS) causado por recursi\u00f3n incontrolada al decodificar estructuras CBOR profundamente anidadas. Esta vulnerabilidad afecta tanto a la implementaci\u00f3n pura de Python como a la extensi\u00f3n C '_cbor2'. La extensi\u00f3n C se basa en los l\u00edmites de recursi\u00f3n internos de Python 'Py_EnterRecursiveCall' en lugar de un l\u00edmite de profundidad basado en datos, lo que significa que a\u00fan genera 'RecursionError' y bloquea el proceso de trabajo cuando se alcanza el l\u00edmite. Aunque la biblioteca maneja niveles de anidamiento moderados, carece de un l\u00edmite de profundidad estricto. Un atacante puede proporcionar una carga \u00fatil CBOR manipulada que contenga aproximadamente 100.000 arrays anidados '0x81'. Cuando 'cbor2.loads()' intenta analizar esto, alcanza la profundidad m\u00e1xima de recursi\u00f3n del int\u00e9rprete de Python o agota la pila, lo que provoca que el proceso falle con un 'RecursionError'. Debido a que la biblioteca no impone sus propios l\u00edmites, permite que un atacante externo agote el recurso de pila de la aplicaci\u00f3n anfitriona. En muchos servidores de aplicaciones web (p. ej., Gunicorn, Uvicorn) o colas de tareas (Celery), un 'RecursionError' no manejado termina el proceso de trabajo inmediatamente. Al enviar un flujo de estos peque\u00f1os paquetes maliciosos (&lt;100KB), un atacante puede bloquear repetidamente los procesos de trabajo, lo que resulta en una denegaci\u00f3n de servicio completa para la aplicaci\u00f3n. La versi\u00f3n 5.9.0 corrige el problema."}], "id": "CVE-2026-26209", "lastModified": "2026-03-24T15:54:09.400", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-23T19:16:39.530", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/agronholm/cbor2/commit/e61a5f365ba610d5907a0ae1bc72769bba34294b"}, {"source": "security-advisories@github.com", "url": "https://github.com/agronholm/cbor2/pull/275"}, {"source": "security-advisories@github.com", "url": "https://github.com/agronholm/cbor2/releases/tag/5.9.0"}, {"source": "security-advisories@github.com", "url": "https://github.com/agronholm/cbor2/security/advisories/GHSA-3c37-wwvx-h642"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-674"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "cbor2: cbor2: Denial of Service due to uncontrolled recursion via crafted CBOR payloads", "id": "2450422", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450422"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-770", "details": ["A flaw was found in cbor2, a library for encoding and decoding Concise Binary Object Representation (CBOR) data. A remote attacker can exploit this vulnerability by sending a specially crafted CBOR payload containing deeply nested structures. This can cause the application to crash due to uncontrolled recursion, leading to a complete Denial of Service (DoS) for the affected application."], "name": "CVE-2026-26209", "package_state": [{"cpe": "cpe:/a:redhat:ai_inference_server:3", "fix_state": "Fix deferred", "package_name": "rhaiis-preview/vllm-cuda-rhel9", "product_name": "Red Hat AI Inference Server"}, {"cpe": "cpe:/a:redhat:ai_inference_server:3", "fix_state": "Fix deferred", "package_name": "rhaiis/vllm-cpu-rhel9", "product_name": "Red Hat AI Inference Server"}, {"cpe": "cpe:/a:redhat:ai_inference_server:3", "fix_state": "Fix deferred", "package_name": "rhaiis/vllm-cuda-rhel9", "product_name": "Red Hat AI Inference Server"}, {"cpe": "cpe:/a:redhat:ai_inference_server:3", "fix_state": "Fix deferred", "package_name": "rhaiis/vllm-neuron-rhel9", "product_name": "Red Hat AI Inference Server"}, {"cpe": "cpe:/a:redhat:ai_inference_server:3", "fix_state": "Fix deferred", "package_name": "rhaiis/vllm-rocm-rhel9", "product_name": "Red Hat AI Inference Server"}, {"cpe": "cpe:/a:redhat:ai_inference_server:3", "fix_state": "Fix deferred", "package_name": "rhaiis/vllm-spyre-rhel9", "product_name": "Red Hat AI Inference Server"}, {"cpe": "cpe:/a:redhat:ai_inference_server:3", "fix_state": "Fix deferred", "package_name": "rhaiis/vllm-tpu-rhel9", "product_name": "Red Hat AI Inference Server"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "ansible-automation-platform-26/lightspeed-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-aws-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-azure-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-azure-rocm-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-gcp-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-rocm-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-vllm-cpu-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-vllm-cuda-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-vllm-gaudi-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-vllm-rocm-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}], "public_date": "2026-03-23T18:53:10Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-26209\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-26209\nhttps://github.com/agronholm/cbor2/commit/e61a5f365ba610d5907a0ae1bc72769bba34294b\nhttps://github.com/agronholm/cbor2/pull/275\nhttps://github.com/agronholm/cbor2/releases/tag/5.9.0\nhttps://github.com/agronholm/cbor2/security/advisories/GHSA-3c37-wwvx-h642"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,5.9.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "cbor2", "source": "cna", "vendor": "agronholm"}, "product": "cbor2", "vendor": "agronholm"}], "created": "2026-03-24T10:33:08.595171+00:00", "updated": "2026-03-24T10:33:08.595254+00:00", "vendors": ["agronholm", "agronholm$PRODUCT$cbor2"]}