CVE-2026-26209: cbor2 has a Denial of Service via Uncontrolled Recursion in cbor2.loads
- The
cbor2library is vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding deeply nested CBOR structures. - This vulnerability affects both the pure Python implementation and the C extension (
_cbor2). The C extension correctly uses Python’s C-API for recursion protection (Py_EnterRecursiveCall), but this mechanism is designed to prevent a stack overflow by raising aRecursionError. In some environments, this exception is not caught, thus causing the service process to terminate. - While the library handles moderate nesting, it lacks a configurable, data-driven depth limit independent of Python’s global recursion setting. An attacker can supply a crafted CBOR payload containing thousands of nested arrays (e.g.,
0x81). Whencbor2.loads()attempts to parse this, it hits the interpreter’s recursion limit, causing the call to raise aRecursionError. - By sending a stream of small (<100KB) malicious packets, an attacker can repeatedly crash worker processes faster than they can be restarted, resulting in a complete and sustained Denial of Service.
References
Code Behaviors & Features
Detect and mitigate CVE-2026-26209 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →