Richrines1

**Name of the Vulnerable Software and Affected Versions** Qiskit IBM Runtime versions 0.1.0 through 0.21.1 **Description** The issue concerns the deserialization of JSON data using `qiskit ibm runtime.RuntimeDecoder`, which can lead to arbitrary code execution given a correctly formatted input string. This is possible because the decoder can be made to spawn a subprocess and execute arbitrary code. The estimated number of potentially affected devices worldwide is not specified. There is no information about real-world incidents where this issue was exploited. **Recommendations** For versions 0.1.0 through 0.21.1, update to version 0.21.2 to resolve the issue. As a temporary workaround, consider disabling the use of `qiskit ibm runtime.RuntimeDecoder` for deserializing JSON data from untrusted sources until a patch is available. Restrict access to the `qiskit ibm runtime.RuntimeDecoder` function to minimize the risk of exploitation.