PT-2026-54884 · Anyscale · Ray

Alexchenai

+6

·

Publicado

2026-07-01

·

Atualizado

2026-07-01

·

CVE-2026-57516

CVSS v3.1

8.8

Alta

VetorAV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Ray prior to 2.56.0 contains an unsafe deserialization vulnerability in the WebDataset reader that allows attackers to achieve remote code execution by supplying a malicious tar archive to the read webdataset() function. The default decoder() function in webdataset datasource.py unconditionally calls pickle.loads() on tar entries with .pkl/.pickle extensions and torch.load() with weights only=False on .pt/.pth entries, executing arbitrary code inside Ray remote workers on every worker that processes the malicious archive.

Exploit

Correção

Deserialization of Untrusted Data

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

CVE-2026-57516

Produtos afetados

Ray