7.5 CVE-2026-26209

Enriched by CISA

cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) serialization format. Versions prior to 5.9.0 are vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding deeply nested CBOR structures. This vulnerability affects both the pure Python implementation and the C extension `_cbor2`. The C extension relies on Python's internal recursion limits `Py_EnterRecursiveCall` rather than a data-driven depth limit, meaning it still raises `RecursionError` and crashes the worker process when the limit is hit. While the library handles moderate nesting levels, it lacks a hard depth limit. An attacker can supply a crafted CBOR payload containing approximately 100,000 nested arrays `0x81`. When `cbor2.loads()` attempts to parse this, it hits the Python interpreter's maximum recursion depth or exhausts the stack, causing the process to crash with a `RecursionError`. Because the library does not enforce its own limits, it allows an external attacker to exhaust the host application's stack resource. In many web application servers (e.g., Gunicorn, Uvicorn) or task queues (Celery), an unhandled `RecursionError` terminates the worker process immediately. By sending a stream of these small (<100KB) malicious packets, an attacker can repeatedly crash worker processes, resulting in a complete Denial of Service for the application. Version 5.9.0 patches the issue.
https://nvd.nist.gov/vuln/detail/CVE-2026-26209

Categories

CWE-674 : Uncontrolled Recursion
The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack. Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) Ensure an end condition will be reached under all logic conditions. The end condition may include testing against the depth of recursion and exiting with an error if the recursion goes too deep. The complexity of the end condition contributes to the effectiveness of this action. Increase the stack size. Deeply nested arrays trigger stack exhaustion. Self-referencing pointers create infinite loop and resultant stack exhaustion. Javascript application accidentally changes input in a way that prevents a recursive call from detecting an exit condition. An attempt to recover a corrupted XML file infinite recursion protection counter was not always incremented missing the exit condition. USB-audio driver's descriptor code parsing allows unlimited recursion leading to stack exhaustion.

References

security-advisories@github.com

https://github.com/agronholm/cbor2/commit/e61a5f365ba610d5907a0ae1bc72769bba3...
https://github.com/agronholm/cbor2/pull/275
https://github.com/agronholm/cbor2/releases/tag/5.9.0
https://github.com/agronholm/cbor2/security/advisories/GHSA-3c37-wwvx-h642

AFFECTED (from MITRE)

Vendor	Product	Versions
agronholm	cbor2	< 5.9.0 [affected]
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

CPE

cpe	start	end

REMEDIATION

EXPLOITS

Exploit-db.com

id	description	date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
No known exploits

CAPEC

Common Attack Pattern Enumerations and Classifications

id	description	severity
230	Serialized Data with Nested Payloads Applications often need to transform data in and out of a data format (e.g., XML and YAML) by using a parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. By nesting these structures, causing the data to be repeatedly substituted, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization. An adversary determines the input data stream that is being processed by a data parser that supports using substitution on the victim's side. An adversary crafts input data that may have an adverse effect on the operation of the parser when the data is parsed on the victim's system.	High
231	Oversized Serialized Data Payloads An adversary injects oversized serialized data payloads into a parser during data processing to produce adverse effects upon the parser such as exhausting system resources and arbitrary code execution. An adversary determines the input data stream that is being processed by an serialized data parser on the victim's side. An adversary crafts input data that may have an adverse effect on the operation of the data parser when the data is parsed on the victim's system.	High

Cybersecurity needs ?

Strengthen software security from the outset with our DevSecOps expertise

Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.

Discover this offer

Soutenez No Hack Me sur Tipeee