CVE-2026-10705
Deferred Deferred - Pending Action
Resource Consumption in Dask HLL Handler

Publication date: 2026-06-03

Last updated on: 2026-06-03

Assigner: VulDB

Description
A flaw has been found in dask up to 3.0. Affected by this issue is the function nunique_approx of the file dask/dataframe/hyperloglog.py of the component HLL Handler. This manipulation causes resource consumption. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. The exploitation is known to be difficult. The pull request to fix this issue awaits acceptance.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-03
Last Modified
2026-06-03
Generated
2026-06-24
AI Q&A
2026-06-03
EPSS Evaluated
2026-06-22
NVD
CVE-2026-10705
EUVD
EUVD-2026-34064
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dask dask to 3.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-404 The product does not release or incorrectly releases a resource before it is made available for re-use.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

Immediate mitigation involves applying the fixes proposed in the pending pull request which include:

  • Preserving the full 64-bit output of pandas' hash_pandas_object function in HyperLogLog calculations instead of truncating to 32 bits.
  • Using the new configuration option `dataframe.shuffle.hash-key` to specify a custom hash key for shuffle operations, reducing the risk of hash collision exploitation.

Until the fix is accepted and deployed, monitoring for unusual resource consumption and data skew in shuffle operations is recommended.

Executive Summary

This vulnerability exists in the Dask library, specifically in the function nunique_approx within the file dask/dataframe/hyperloglog.py, which handles HyperLogLog (HLL) operations. The issue arises because Dask truncates 64-bit pandas hashes to 32-bit unsigned integers for HLL calculations, increasing hash collisions and reducing accuracy.

An attacker can exploit the deterministic nature of the hash function to craft keys that concentrate data into a single partition during shuffle and join operations. This causes data skew and resource consumption, potentially impacting availability. The attack requires a high degree of complexity and is difficult to execute remotely.

A fix is proposed to preserve the full 64-bit hash and allow configuration of hash keys to mitigate these collisions and routing issues.

Impact Analysis

The vulnerability can lead to increased resource consumption and availability issues in systems using Dask for data processing. By exploiting hash collisions, an attacker can cause data to be concentrated in a single partition, leading to skewed workloads and potential denial of service due to resource exhaustion.

This can degrade the performance and reliability of data processing tasks, especially in environments processing attacker-controlled data.

Detection Guidance

Detection of this vulnerability involves identifying abnormal resource consumption or skewed data partitioning caused by crafted keys exploiting hash collisions in Dask's HyperLogLog and shuffle operations.

A minimal example demonstrating how crafted keys can target a specific partition is provided in the issue discussion, which can be used as a basis for detection tests.

However, no specific network or system commands are provided in the available resources to detect this vulnerability directly.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10705. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart