CVE-2026-26209

Name of the Vulnerable Software and Affected Versions cbor2 versions prior to 5.9.0

Description The cbor2 library is susceptible to a Denial of Service (DoS) attack due to uncontrolled recursion when decoding deeply nested CBOR structures. This affects both the pure Python implementation and the C extension cbor2. The library lacks a configurable, data-driven depth limit, allowing an attacker to supply a crafted CBOR payload containing thousands of nested arrays (e.g., 0x81) to exhaust the host application's stack resource. Sending a stream of small malicious packets can repeatedly crash worker processes, resulting in a complete Denial of Service. The vulnerability stems from the recursive design of the CBORDecoder class, specifically how it decodes nested container types like Arrays and Maps. The decode array function loops and calls self.decode() for each item, leading to deep recursion when parsing a payload with many nested arrays. The vulnerable code locations are in cbor2/decoder.py (Pure Python implementation) and source/decoder.c (C extension implementation).

Recommendations Versions prior to 5.9.0 should be updated to version 5.9.0 or later.