CVE-2026-53877
Received Received - Intake

Buffer Over-Read in Django GIS GDALRaster

Vulnerability report for CVE-2026-53877, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: Django Software Foundation

Description

An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before 5.2.16. `django.contrib.gis.gdal.GDALRaster` over-reads its in-memory buffer when constructed from a bytes object, which can disclose adjacent memory or cause service degradation via a potential segmentation fault when the `vsi_buffer` property is accessed. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Bence Nagy for reporting this issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 5 associated CPEs
Vendor Product Version / Range
django django to 5.2.16 (exc)
django django to 6.0.7 (exc)
django django 4.2
django django 5.2
django django 6.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-805 The product uses a sequential operation to read or write a buffer, but it uses an incorrect length value that causes it to access memory that is outside of the bounds of the buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-53877 is a vulnerability in Django's GDALRaster component where the vsi_buffer property can over-read its in-memory buffer by about 32 bytes when constructed from a bytes object representing a raster file.

This over-read can disclose adjacent heap memory or, in rare cases, cause a segmentation fault, leading to potential service degradation.

The issue affects Django versions 6.0 before 6.0.7 and 5.2 before 5.2.16, and possibly earlier unsupported series.

Compliance Impact

The vulnerability in Django's GDALRaster component can lead to disclosure of adjacent heap memory, which may result in unintended exposure of sensitive data.

Such data disclosure risks could potentially impact compliance with data protection regulations like GDPR or HIPAA, which require safeguarding personal and sensitive information against unauthorized access.

However, the provided information does not explicitly discuss the direct impact of this vulnerability on compliance with these standards or any regulatory guidance.

Impact Analysis

This vulnerability can lead to the unintended disclosure of adjacent memory contents, which may expose sensitive data.

Additionally, it can cause service degradation through a potential segmentation fault, which might disrupt application availability.

Detection Guidance

This vulnerability involves a heap buffer over-read in the django.contrib.gis.gdal.GDALRaster component when constructed from a bytes object, specifically when accessing the vsi_buffer property. Detection would require monitoring or testing for abnormal memory access or crashes related to this component.

There are no specific commands or network detection methods provided in the available resources to detect this vulnerability directly on your system or network.

Mitigation Strategies

The primary mitigation step is to upgrade Django to a fixed version where this vulnerability is resolved. Specifically, upgrade to Django 6.0.7 or later if you are using the 6.0 series, or 5.2.16 or later if you are using the 5.2 series.

Avoid using vulnerable versions of Django, especially when handling raster files via the GDALRaster component, to prevent potential memory disclosure or service degradation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53877. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart