CVE-2026-33155
Received Received - Intake
Memory Exhaustion via Pickle Unpickler in DeepDiff Before

Publication date: 2026-03-20

Last updated on: 2026-04-14

Assigner: GitHub, Inc.

Description
DeepDiff is a project focused on Deep Difference and search of any Python data. From version 5.0.0 to before version 8.6.2, the pickle unpickler _RestrictedUnpickler validates which classes can be loaded but does not limit their constructor arguments. A few of the types in SAFE_TO_IMPORT have constructors that allocate memory proportional to their input (builtins.bytes, builtins.list, builtins.range). A 40-byte pickle payload can force 10+ GB of memory, which crashes applications that load delta objects or call pickle_load with untrusted data. This issue has been patched in version 8.6.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-04-14
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33155
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
qluster deepdiff From 5.0.0 (inc) to 8.6.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33155 is a high-severity denial-of-service (DoS) vulnerability in the Python package DeepDiff, affecting versions 5.0.0 through 8.6.1. The issue lies in the _RestrictedUnpickler class used for safe deserialization of pickle data. While it restricts which classes can be loaded, it does not limit the size of constructor arguments passed during unpickling.

Some allowed classes, such as builtins.bytes, builtins.list, and builtins.range, have constructors that allocate memory proportional to their input size. An attacker can craft a small pickle payload (~40 bytes) that causes the application to allocate extremely large amounts of memory (e.g., 10+ GB), leading to crashes due to out-of-memory conditions.

There are two exploitation paths: one during direct pickle loading where large memory allocations occur, and another during delta application where malicious changes convert values to large bytes objects without size checks.

Impact Analysis

This vulnerability can cause a denial of service by exhausting system memory when an application deserializes untrusted pickle data or applies malicious delta objects. The crafted payloads can force the application to allocate gigabytes of memory from a very small input, leading to crashes or unresponsiveness.

As a result, any application using DeepDiff versions 5.0.0 to before 8.6.2 that processes untrusted pickle data is at risk of being taken down by an attacker without requiring code execution privileges.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability manifests as a denial-of-service condition caused by excessive memory allocation during deserialization of untrusted pickle payloads in DeepDiff versions 5.0.0 to before 8.6.2.'}, {'type': 'paragraph', 'content': 'Detection can focus on monitoring applications that use DeepDiff for deserialization of pickle data, especially looking for unusually high memory usage or crashes related to out-of-memory errors.'}, {'type': 'paragraph', 'content': 'Since the vulnerability involves crafted pickle payloads causing large memory allocations, you can detect attempts by monitoring logs or network traffic for suspicious pickle data or by instrumenting the application to log or alert on large memory allocations during unpickling.'}, {'type': 'paragraph', 'content': 'Specific commands depend on your environment, but general approaches include:'}, {'type': 'list_item', 'content': 'Use system monitoring tools like `top`, `htop`, or `free -m` to observe memory usage spikes in processes running DeepDiff.'}, {'type': 'list_item', 'content': "Use Python debugging or logging to wrap or monitor calls to `pickle_load` or DeepDiff's delta application methods to detect unusually large constructor arguments."}, {'type': 'list_item', 'content': 'If you have access to network captures, use tools like `tcpdump` or `Wireshark` to filter for pickle payloads being transmitted, then analyze them for suspiciously small payloads that could cause large memory allocations.'}, {'type': 'list_item', 'content': 'Example Python snippet to detect large allocations during unpickling (conceptual):\n```python\nimport deepdiff\ntry:\n # Attempt to load pickle data\n deepdiff.pickle_load(untrusted_data)\nexcept MemoryError:\n print("Potential exploit attempt detected: memory exhaustion during unpickling")\n```'}] [1]

Mitigation Strategies

The primary mitigation is to upgrade DeepDiff to version 8.6.2 or later, where the vulnerability has been patched.

The patch introduces a maximum allocation size limit of 128 MB for size-sensitive constructors like bytes() and bytearray() during unpickling, preventing excessive memory allocation.

If upgrading immediately is not possible, consider the following interim mitigations:

  • Avoid deserializing pickle data from untrusted or unauthenticated sources.
  • Implement application-level resource limits (e.g., using OS-level memory limits or Python resource module) to restrict the maximum memory usage of processes performing deserialization.
  • Add additional validation or sandboxing around deserialization routines to detect and block unusually large constructor arguments.
  • Monitor application logs and system metrics for signs of memory exhaustion or crashes related to deserialization.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33155. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart