CVE-2026-10705
Resource Consumption in Dask HLL Handler
Publication date: 2026-06-03
Last updated on: 2026-06-03
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dask | dask | to 3.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
| CWE-404 | The product does not release or incorrectly releases a resource before it is made available for re-use. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves applying the fixes proposed in the pending pull request which include:
- Preserving the full 64-bit output of pandas' hash_pandas_object function in HyperLogLog calculations instead of truncating to 32 bits.
- Using the new configuration option `dataframe.shuffle.hash-key` to specify a custom hash key for shuffle operations, reducing the risk of hash collision exploitation.
Until the fix is accepted and deployed, monitoring for unusual resource consumption and data skew in shuffle operations is recommended.
Can you explain this vulnerability to me?
This vulnerability exists in the Dask library, specifically in the function nunique_approx within the file dask/dataframe/hyperloglog.py, which handles HyperLogLog (HLL) operations. The issue arises because Dask truncates 64-bit pandas hashes to 32-bit unsigned integers for HLL calculations, increasing hash collisions and reducing accuracy.
An attacker can exploit the deterministic nature of the hash function to craft keys that concentrate data into a single partition during shuffle and join operations. This causes data skew and resource consumption, potentially impacting availability. The attack requires a high degree of complexity and is difficult to execute remotely.
A fix is proposed to preserve the full 64-bit hash and allow configuration of hash keys to mitigate these collisions and routing issues.
How can this vulnerability impact me? :
The vulnerability can lead to increased resource consumption and availability issues in systems using Dask for data processing. By exploiting hash collisions, an attacker can cause data to be concentrated in a single partition, leading to skewed workloads and potential denial of service due to resource exhaustion.
This can degrade the performance and reliability of data processing tasks, especially in environments processing attacker-controlled data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying abnormal resource consumption or skewed data partitioning caused by crafted keys exploiting hash collisions in Dask's HyperLogLog and shuffle operations.
A minimal example demonstrating how crafted keys can target a specific partition is provided in the issue discussion, which can be used as a basis for detection tests.
However, no specific network or system commands are provided in the available resources to detect this vulnerability directly.