CVE-2026-4870

Vulnerability

The vulnerability resides in the OpenQASM 2 parser used by the qiskit.qasm2.load() and qiskit.qasm2.loads() functions. IBM Qiskit SDK versions 0.43.0 through 2.5.0 are affected. When the parser encounters certain deeply nested classical expressions, the recursion depth exceeds the available stack space, leading to uncontrolled recursion [1].

Exploitation

An attacker can exploit this vulnerability remotely without authentication (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U). The attacker supplies a specially crafted QASM2 input containing classical expressions that trigger excessive recursion. The input can be passed via the public API functions qiskit.qasm2.load() (from a file) or qiskit.qasm2.loads() (from a string). The parser then recurses past the stack limit, causing a segmentation fault [1].

Impact

Successful exploitation results in a segmentation fault, crashing the Qiskit process. This is a denial-of-service (DoS) condition with no impact on confidentiality or integrity (CVSS impact: N/I:N/A:H). The entire application using the affected SDK becomes unavailable until restarted [1].

Mitigation

The issue is fixed in Qiskit versions v1.4.6 and v2.4.2, which replace the uncontrolled recursion with a Python-space RecursionError exception once the expression depth exceeds the Python recursion limit. Users should upgrade to these versions. The Python recursion limit can be queried via sys.getrecursionlimit() and adjusted with sys.setrecursionlimit(). No workaround is available for unpatched versions [1].