CVE-2025-64076

Name of the Vulnerable Software and Affected Versions cbor2 versions through 5.7.0

Description The cbor2 software contains issues in the decode definite long string() function within the C extension decoder (source/decoder.c). An integer underflow can lead to an out-of-bounds read, and a memory leak occurs due to missing reference count release. The integer underflow happens because of an incorrect variable reference and a missing state reset, causing negative values in chunk length calculations. The memory leak arises from failing to release Python object references for chunk objects in each iteration of the processing loop. These issues can be exploited remotely without authentication by sending specially crafted CBOR data containing definite-length text strings with multi-byte UTF-8 characters. Successful exploitation can lead to denial of service through process crashes or memory exhaustion.

Recommendations Update to version 5.7.1 or later.