Matthew Treinish

Name of the Vulnerable Software and Affected Versions: Qiskit versions 0.18.0 through 1.4.1 Description: A maliciously crafted QPY file can potentially execute arbitrary-code embedded in the payload without privilege escalation when deserialising QPY formats less than 13. This issue affects python processes calling Qiskit's `qiskit.qpy.load()` function, allowing the execution of arbitrary Python code embedded in the binary file as part of a specially constructed payload. Recommendations: For Qiskit versions 0.18.0 through 1.4.1, consider disabling the `qiskit.qpy.load()` function until a patch is available to prevent the execution of arbitrary Python code from malicious QPY files. Restrict the use of QPY files with versions less than 13 to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Qiskit SDK versions 0.45.0 through 1.2.4 **Description** A maliciously crafted QPY file containing a malformed `symengine` serialization stream can cause a segfault within the `symengine` library, allowing an attacker to terminate the hosting process deserializing the QPY payload. This issue can be exploited by remote attackers, potentially causing a denial of service. **Recommendations** For Qiskit SDK versions 0.45.0 through 1.2.4, update to version 1.3.0 or later, which addresses this issue when using QPY format version 13. Additionally, consider patching the locally installed version of `symengine` in the deserializing environment to prevent the specific segfault. As a temporary workaround, consider restricting the use of QPY formats 10, 11, and 12, especially when the `use symengine` flag is set, to minimize the risk of exploitation. Use the provided Python function `check qpy payload` to detect potentially vulnerable QPY payloads.