CVE-2026-26209
Denial of Service in cbor2 via Deeply Nested CBOR Decoding
Publication date: 2026-03-23
Last updated on: 2026-03-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| agronholm | cbor2 | to 5.9.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-674 | The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-26209 is a Denial of Service (DoS) vulnerability in the cbor2 Python library, which provides encoding and decoding for the CBOR serialization format. Versions prior to 5.9.0 are vulnerable due to uncontrolled recursion when decoding deeply nested CBOR structures.'}, {'type': 'paragraph', 'content': "The vulnerability affects both the pure Python implementation and the C extension (_cbor2). The C extension relies on Python's internal recursion limits rather than enforcing its own depth limit, so when decoding a crafted CBOR payload with extremely deep nesting (e.g., around 100,000 nested arrays), it triggers Python's maximum recursion depth or exhausts the stack."}, {'type': 'paragraph', 'content': 'This causes the process to crash with a RecursionError, which in many environments (such as web servers or task queues) terminates the worker process immediately, leading to a denial of service.'}] [2]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability can cause your application to suffer a Denial of Service by crashing worker processes that use the cbor2 library to decode CBOR data. An attacker can send specially crafted CBOR payloads with deeply nested arrays that trigger uncontrolled recursion, causing the process to hit Python's recursion limit and crash."}, {'type': 'paragraph', 'content': 'In environments like web application servers (e.g., Gunicorn, Uvicorn) or task queues (e.g., Celery), this results in immediate termination of worker processes. By repeatedly sending these malicious packets, an attacker can sustain the denial of service, making the application unavailable.'}, {'type': 'paragraph', 'content': 'The attack requires no authentication or user interaction, has low complexity, and can be executed remotely, impacting any application using cbor2 to parse untrusted CBOR data, including IoT data processing, WebAuthn authentication, and inter-service communication.'}] [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for crashes or RecursionError exceptions in applications using the cbor2 library to decode CBOR data, especially when processing deeply nested CBOR payloads. Since the issue arises from uncontrolled recursion when decoding deeply nested arrays, detection involves identifying unusually deep or malformed CBOR data streams that cause worker processes to terminate unexpectedly.
A practical approach is to capture and analyze CBOR payloads received by your application, looking for payloads with excessive nesting (e.g., many repeated 0x81 bytes indicating nested arrays). You can also monitor application logs for RecursionError exceptions or unexpected worker process crashes.
While no specific detection commands are provided in the resources, you can use Python scripts to attempt decoding suspicious CBOR payloads with cbor2.loads() and observe if a RecursionError is raised. For example, a test script could try decoding crafted CBOR data with deep nesting to verify if the environment is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the cbor2 library to version 5.9.0 or later, which introduces a new decoder parameter `max_depth` that limits the maximum allowed nesting level during decoding (defaulting to 400 levels). This prevents uncontrolled recursion and resource exhaustion.
Additionally, version 5.9.0 reverts the default `read_size` parameter to 1 to maintain backward compatibility and avoid issues caused by buffered reads introduced in version 5.8.0.
If upgrading immediately is not possible, consider implementing application-level checks to limit the depth of CBOR data before decoding or catch RecursionError exceptions to prevent worker process crashes.
Also, monitor and filter incoming CBOR payloads to detect and block suspiciously deeply nested data that could trigger the vulnerability.