CVE-2026-26209
CVE-2026-26209 is a high-severity vulnerability in Agronholm Cbor2 with a CVSS 3.x base score of 7.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-674.
Key facts
- Severity: High (CVSS 3.x base score 7.5)
- EPSS exploit prediction: 0% (34th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-14478
- Weakness: CWE-674
- Affected product: Agronholm Cbor2
- Published:
- Last modified:
Description
cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) serialization format. Versions prior to 5.9.0 are vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding deeply nested CBOR structures. This vulnerability affects both the pure Python implementation and the C extension `_cbor2`. The C extension relies on Python's internal recursion limits `Py_EnterRecursiveCall` rather than a data-driven depth limit, meaning it still raises `RecursionError` and crashes the worker process when the limit is hit. While the library handles moderate nesting levels, it lacks a hard depth limit. An attacker can supply a crafted CBOR payload containing approximately 100,000 nested arrays `0x81`. When `cbor2.loads()` attempts to parse this, it hits the Python interpreter's maximum recursion depth or exhausts the stack, causing the process to crash with a `RecursionError`. Because the library does not enforce its own limits, it allows an external attacker to exhaust the host application's stack resource. In many web application servers (e.g., Gunicorn, Uvicorn) or task queues (Celery), an unhandled `RecursionError` terminates the worker process immediately. By sending a stream of these small (<100KB) malicious packets, an attacker can repeatedly crash worker processes, resulting in a complete Denial of Service for the application. Version 5.9.0 patches the issue.
Frequently asked questions
- What is CVE-2026-26209?
- cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) serialization format. Versions prior to 5.9.0 are vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding deeply nested CBOR structures. This vulnerability affects both the pure Python implementation and the C extension `_cbor2`. The C extension relies on Python's internal recursion limits `Py_EnterRecursiveCall` rather than a data-driven depth limit, meaning it still raises `RecursionError` and crashes the worker process when the limit is hit. While the library handles moderate nesting levels, it lacks a hard depth limit. An attacker can supply a crafted CBOR payload containing approximately 100,000 nested arrays `0x81`. When `cbor2.loads()` attempts to parse this, it hits the Python interpreter's maximum recursion depth or exhausts the stack, causing the process to crash with a `RecursionError`. Because the library does not enforce its own limits, it allows an external attacker to exhaust the host application's stack resource. In many web application servers (e.g., Gunicorn, Uvicorn) or task queues (Celery), an unhandled `RecursionError` terminates the worker process immediately. By sending a stream of these small (<100KB) malicious packets, an attacker can repeatedly crash worker processes, resulting in a complete Denial of Service for the application. Version 5.9.0 patches the issue.
- How severe is CVE-2026-26209?
- CVE-2026-26209 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity none, and availability high.
- Is CVE-2026-26209 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (34th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-26209?
- CVE-2026-26209 affects Agronholm Cbor2. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2026-26209?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- Does CVE-2026-26209 have an EU (EUVD) identifier?
- Yes. CVE-2026-26209 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-14478.
- When was CVE-2026-26209 published?
- CVE-2026-26209 was published on 2026-03-23 and last updated on 2026-06-17.
References
- https://github.com/agronholm/cbor2/commit/e61a5f365ba610d5907a0ae1bc72769bba34294b
- https://github.com/agronholm/cbor2/pull/275
- https://github.com/agronholm/cbor2/releases/tag/5.9.0
- https://github.com/agronholm/cbor2/security/advisories/GHSA-3c37-wwvx-h642
Affected products (1)
- cpe:2.3:a:agronholm:cbor2:*:*:*:*:*:python:*:*
More vulnerabilities in Agronholm Cbor2
- CVE-2025-68131 — High (CVSS 7.5): cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) serialization format. Starting…
- CVE-2025-64076 — High (CVSS 7.5): Multiple vulnerabilities exist in cbor2 through version 5.7.0 in the decode_definite_long_string() function of the C…
- CVE-2024-26134 — High (CVSS 7.5): cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) (RFC 8949) serialization…
All CVEs affecting Agronholm Cbor2 →
Other CWE-674 (Uncontrolled Recursion) vulnerabilities
- CVE-2026-43185 — Critical (CVSS 9.8): In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix signededness bug in…
- CVE-2023-51803 — Critical (CVSS 9.8): LinuxServer.io Heimdall before 2.5.7 does not prevent use of icons that have non-image data such as the "<?php ?>"…
- CVE-2021-41752 — Critical (CVSS 9.8): Stack overflow vulnerability in Jerryscript before commit e1ce7dd7271288be8c0c8136eea9107df73a8ce2 on Oct 20, 2021 due…
- CVE-2018-1000618 — Critical (CVSS 9.8): EOSIO/eos eos version after commit f1545dd0ae2b77580c2236fdb70ae7138d2c7168 contains a stack overflow vulnerability in…
- CVE-2025-10728 — Critical (CVSS 9.4): When the module renders a Svg file that contains a <pattern> element, it might end up rendering it recursively leading…
- CVE-2026-40324 — Critical (CVSS 9.1): Hot Chocolate is an open-source GraphQL server. Prior to versions 12.22.7, 13.9.16, 14.3.1, and 15.1.14, Hot…
Browse all CWE-674 (Uncontrolled Recursion) vulnerabilities →