CVE-2026-57585
Python Schwachstellenanalyse und -minderung

Überblick

CVE-2026-57585 is a Use After Free (CWE-416) vulnerability in MessagePack for Python (msgpack) that causes an out-of-bounds read and process crash (SEGV) when the Unpacker object is reused after an error occurs. It affects all versions of the msgpack pip package up to and including v1.2.0. The vulnerability was published on June 19, 2026, with a fix released in v1.2.1. It carries a CVSS v3.1 base score of 7.5 (High) (GitHub Advisory, GHSA).

Technische Details

The root cause is a Use After Free condition (CWE-416) in the C-level Unpacker implementation. When unpack_execute() returns an error (ret == -1), the internal parser context (unpack_context) was not properly cleared — specifically, unpack_clear() was not called on error paths in unpack_construct() and unpack_skip(). This left the context in a corrupt state with dangling or freed object references. Subsequent calls to unpack() or skip() on the same Unpacker instance would then operate on this corrupt context, leading to a SIGSEGV. The fix (commit 2c56ddb) adds unpack_clear() calls on all error return paths and corrects an off-by-one in the stack cleanup loop (GitHub Commit, GitHub Advisory).

Aufprall

Successful exploitation causes the Python process to crash with a SIGSEGV, resulting in a Denial of Service (DoS). Applications that process untrusted, externally-sourced MessagePack data using a reused Unpacker instance are at risk. There is no known confidentiality or integrity impact — the vulnerability is limited to availability (GHSA).

Ausnutzungsschritte

  1. Identify target: Find an application that uses msgpack.Unpacker in streaming mode and reuses the same Unpacker instance after catching deserialization errors (e.g., a network service accepting MessagePack-encoded input).
  2. Craft malformed input: Prepare a MessagePack payload that triggers a parse error, such as a fixmap with an integer key when strict_map_key=True is set (e.g., b"\x83\x73\xc4\x00" — a fixmap(3) with an integer key followed by an empty bin8).
  3. Send first payload: Submit the malformed payload to the target service. The Unpacker.unpack() call raises an exception (e.g., ValueError), which the application catches and continues.
  4. Send follow-up payload: Send a second (possibly valid or malformed) payload. Because the Unpacker context was not cleared after the first error, the subsequent unpack() or skip() call operates on a corrupt parser state, triggering a SIGSEGV and crashing the process (GitHub Commit, GHSA).

Indikatoren für Kompromittierung

  • Process: Python process terminating unexpectedly with a SIGSEGV (signal 11) or Segmentation fault message in system logs, originating from a msgpack deserialization call.
  • Logs: Application error logs showing repeated ValueError, FormatError, or StackError exceptions from msgpack.Unpacker, followed by an abrupt process exit without a clean Python traceback.
  • Network: Unusual or malformed MessagePack payloads received on application input channels, particularly those containing fixmap structures with non-string keys (e.g., raw bytes like \x83\x73\xc4\x00).

Risikominderung und Problemumgehungen

Upgrade the msgpack pip package to v1.2.1, which includes the fix for this vulnerability (msgpack Release). As a workaround for users who cannot upgrade immediately, always create a new Unpacker instance rather than reusing an existing one after any exception is caught during unpacking. Note that even with the patch applied, reusing a Streaming Unpacker after an error will not yield correct data — discarding the stream and unpacker on error is the correct design pattern regardless (GHSA).

Zusätzliche Ressourcen


QuelleDieser Bericht wurde mithilfe von KI erstellt

Verwandt Python Schwachstellen:

CVE-Kennung

Strenge

Punktzahl

Technologieen

Name der Komponente

CISA KEV-Exploit

Hat fix

Veröffentlichungsdatum

CVE-2026-57585HIGH7.5
  • Python logoPython
  • python-pip
NeinJaJun 30, 2026
CVE-2026-12243HIGH7.5
  • Python logoPython
  • nltk
NeinNeinJun 30, 2026
CVE-2026-49986HIGH7.1
  • Python logoPython
  • neuro-cortex-memory
NeinJaJul 01, 2026
CVE-2026-57204MEDIUM6.9
  • Python logoPython
  • pypdf
NeinJaJun 30, 2026
GHSA-75mw-h36v-2jv7MEDIUM6.1
  • Python logoPython
  • dosage
NeinJaJun 26, 2026

Kostenlose Schwachstellenbewertung

Benchmarking Ihrer Cloud-Sicherheitslage

Bewerten Sie Ihre Cloud-Sicherheitspraktiken in 9 Sicherheitsbereichen, um Ihr Risikoniveau zu bewerten und Lücken in Ihren Abwehrmaßnahmen zu identifizieren.

Bewertung anfordern

Eine personalisierte Demo anfordern

Sind Sie bereit, Wiz in Aktion zu sehen?

"Die beste Benutzererfahrung, die ich je gesehen habe, bietet vollständige Transparenz für Cloud-Workloads."
David EstlickCISO
"„Wiz bietet eine zentrale Oberfläche, um zu sehen, was in unseren Cloud-Umgebungen vor sich geht.“ "
Adam FletcherSicherheitsbeauftragter
"„Wir wissen, dass, wenn Wiz etwas als kritisch identifiziert, es auch wirklich kritisch ist.“"
Greg PoniatowskiLeiter Bedrohungs- und Schwachstellenmanagement