High severityNVD Advisory· Published Feb 19, 2024· Updated Feb 13, 2025
CBOR2 decoder has potential buffer overflow
CVE-2024-26134
Description
cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) (RFC 8949) serialization format. Starting in version 5.5.1 and prior to version 5.6.2, an attacker can crash a service using cbor2 to parse a CBOR binary by sending a long enough object. Version 5.6.2 contains a patch for this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
cbor2PyPI | >= 5.5.1, < 5.6.2 | 5.6.2 |
Affected products
6- ghsa-coords5 versionspkg:pypi/cbor2pkg:rpm/opensuse/python-cbor2&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/python-cbor2&distro=openSUSE%20Tumbleweedpkg:rpm/suse/python-cbor2&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/python-cbor2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0
>= 5.5.1, < 5.6.2+ 4 more
- (no CPE)range: >= 5.5.1, < 5.6.2
- (no CPE)range: < 5.6.5-160000.3.1
- (no CPE)range: < 5.6.5-2.1
- (no CPE)range: < 5.6.5-160000.3.1
- (no CPE)range: < 5.6.5-160000.3.1
Patches
Vulnerability mechanics
References
14- github.com/advisories/GHSA-375g-39jq-vq7mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-26134ghsaADVISORY
- github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542ghsax_refsource_MISCWEB
- github.com/agronholm/cbor2/commit/4de6991ba29bf2290d7b9d83525eda7d021873dfghsax_refsource_MISCWEB
- github.com/agronholm/cbor2/pull/204ghsax_refsource_MISCWEB
- github.com/agronholm/cbor2/releases/tag/5.6.2ghsax_refsource_MISCWEB
- github.com/agronholm/cbor2/security/advisories/GHSA-375g-39jq-vq7mghsax_refsource_CONFIRMWEB
- github.com/pypa/advisory-database/tree/main/vulns/cbor2/PYSEC-2024-155.yamlghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BT42VXZMMMCSSHMA65KKPOZCXJEYHNR5ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GX524ZG2XJWFV37UQKQ4LWIH4UICSGEQghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PWC3VU6YV6EXKCSX5GTKWLBZIDIJNQJYghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BT42VXZMMMCSSHMA65KKPOZCXJEYHNR5/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GX524ZG2XJWFV37UQKQ4LWIH4UICSGEQ/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PWC3VU6YV6EXKCSX5GTKWLBZIDIJNQJY/mitre
News mentions
0No linked articles in our index yet.