CVE-2026-57585
Python Analisi e mitigazione delle vulnerabilità

Panoramica

CVE-2026-57585 is a Use After Free (CWE-416) vulnerability in MessagePack for Python (msgpack) that causes an out-of-bounds read and process crash (SEGV) when the Unpacker object is reused after an error occurs. It affects all versions of the msgpack pip package up to and including v1.2.0. The vulnerability was published on June 19, 2026, with a fix released in v1.2.1. It carries a CVSS v3.1 base score of 7.5 (High) (GitHub Advisory, GHSA).

Dettagli tecnici

The root cause is a Use After Free condition (CWE-416) in the C-level Unpacker implementation. When unpack_execute() returns an error (ret == -1), the internal parser context (unpack_context) was not properly cleared — specifically, unpack_clear() was not called on error paths in unpack_construct() and unpack_skip(). This left the context in a corrupt state with dangling or freed object references. Subsequent calls to unpack() or skip() on the same Unpacker instance would then operate on this corrupt context, leading to a SIGSEGV. The fix (commit 2c56ddb) adds unpack_clear() calls on all error return paths and corrects an off-by-one in the stack cleanup loop (GitHub Commit, GitHub Advisory).

Impatto

Successful exploitation causes the Python process to crash with a SIGSEGV, resulting in a Denial of Service (DoS). Applications that process untrusted, externally-sourced MessagePack data using a reused Unpacker instance are at risk. There is no known confidentiality or integrity impact — the vulnerability is limited to availability (GHSA).

Passaggi di sfruttamento

  1. Identify target: Find an application that uses msgpack.Unpacker in streaming mode and reuses the same Unpacker instance after catching deserialization errors (e.g., a network service accepting MessagePack-encoded input).
  2. Craft malformed input: Prepare a MessagePack payload that triggers a parse error, such as a fixmap with an integer key when strict_map_key=True is set (e.g., b"\x83\x73\xc4\x00" — a fixmap(3) with an integer key followed by an empty bin8).
  3. Send first payload: Submit the malformed payload to the target service. The Unpacker.unpack() call raises an exception (e.g., ValueError), which the application catches and continues.
  4. Send follow-up payload: Send a second (possibly valid or malformed) payload. Because the Unpacker context was not cleared after the first error, the subsequent unpack() or skip() call operates on a corrupt parser state, triggering a SIGSEGV and crashing the process (GitHub Commit, GHSA).

Indicatori di compromesso

  • Process: Python process terminating unexpectedly with a SIGSEGV (signal 11) or Segmentation fault message in system logs, originating from a msgpack deserialization call.
  • Logs: Application error logs showing repeated ValueError, FormatError, or StackError exceptions from msgpack.Unpacker, followed by an abrupt process exit without a clean Python traceback.
  • Network: Unusual or malformed MessagePack payloads received on application input channels, particularly those containing fixmap structures with non-string keys (e.g., raw bytes like \x83\x73\xc4\x00).

Mitigazione e soluzioni alternative

Upgrade the msgpack pip package to v1.2.1, which includes the fix for this vulnerability (msgpack Release). As a workaround for users who cannot upgrade immediately, always create a new Unpacker instance rather than reusing an existing one after any exception is caught during unpacking. Note that even with the patch applied, reusing a Streaming Unpacker after an error will not yield correct data — discarding the stream and unpacker on error is the correct design pattern regardless (GHSA).

Risorse aggiuntive


FonteQuesto report è stato generato utilizzando l'intelligenza artificiale

Imparentato Python Vulnerabilità:

CVE ID

Severità

Punteggio

Tecnologie

Nome del componente

Exploit CISA KEV

Ha la correzione

Data di pubblicazione

CVE-2026-57585HIGH7.5
  • Python logoPython
  • python-pip
NoJun 30, 2026
CVE-2026-12243HIGH7.5
  • Python logoPython
  • nltk
NoNoJun 30, 2026
CVE-2026-49986HIGH7.1
  • Python logoPython
  • neuro-cortex-memory
NoJul 01, 2026
CVE-2026-57204MEDIUM6.9
  • Python logoPython
  • pypdf
NoJun 30, 2026
GHSA-75mw-h36v-2jv7MEDIUM6.1
  • Python logoPython
  • dosage
NoJun 26, 2026

Valutazione gratuita delle vulnerabilità

Benchmark della tua posizione di sicurezza del cloud

Valuta le tue pratiche di sicurezza cloud in 9 domini di sicurezza per confrontare il tuo livello di rischio e identificare le lacune nelle tue difese.

Richiedi valutazione

Richiedi una demo personalizzata

Pronti a vedere Wiz in azione?

"La migliore esperienza utente che abbia mai visto offre piena visibilità ai carichi di lavoro cloud."
David EstlickCISO (CISO)
"Wiz fornisce un unico pannello di controllo per vedere cosa sta succedendo nei nostri ambienti cloud."
Adam FletcherResponsabile della sicurezza
"Sappiamo che se Wiz identifica qualcosa come critico, in realtà lo è."
Greg PoniatowskiResponsabile della gestione delle minacce e delle vulnerabilità