CVE-2026-57585
Python Análise e mitigação de vulnerabilidades

Visão geral

CVE-2026-57585 is a Use After Free (CWE-416) vulnerability in MessagePack for Python (msgpack) that causes an out-of-bounds read and process crash (SEGV) when the Unpacker object is reused after an error occurs. It affects all versions of the msgpack pip package up to and including v1.2.0. The vulnerability was published on June 19, 2026, with a fix released in v1.2.1. It carries a CVSS v3.1 base score of 7.5 (High) (GitHub Advisory, GHSA).

Detalhes técnicos

The root cause is a Use After Free condition (CWE-416) in the C-level Unpacker implementation. When unpack_execute() returns an error (ret == -1), the internal parser context (unpack_context) was not properly cleared — specifically, unpack_clear() was not called on error paths in unpack_construct() and unpack_skip(). This left the context in a corrupt state with dangling or freed object references. Subsequent calls to unpack() or skip() on the same Unpacker instance would then operate on this corrupt context, leading to a SIGSEGV. The fix (commit 2c56ddb) adds unpack_clear() calls on all error return paths and corrects an off-by-one in the stack cleanup loop (GitHub Commit, GitHub Advisory).

Impacto

Successful exploitation causes the Python process to crash with a SIGSEGV, resulting in a Denial of Service (DoS). Applications that process untrusted, externally-sourced MessagePack data using a reused Unpacker instance are at risk. There is no known confidentiality or integrity impact — the vulnerability is limited to availability (GHSA).

Etapas de exploração

  1. Identify target: Find an application that uses msgpack.Unpacker in streaming mode and reuses the same Unpacker instance after catching deserialization errors (e.g., a network service accepting MessagePack-encoded input).
  2. Craft malformed input: Prepare a MessagePack payload that triggers a parse error, such as a fixmap with an integer key when strict_map_key=True is set (e.g., b"\x83\x73\xc4\x00" — a fixmap(3) with an integer key followed by an empty bin8).
  3. Send first payload: Submit the malformed payload to the target service. The Unpacker.unpack() call raises an exception (e.g., ValueError), which the application catches and continues.
  4. Send follow-up payload: Send a second (possibly valid or malformed) payload. Because the Unpacker context was not cleared after the first error, the subsequent unpack() or skip() call operates on a corrupt parser state, triggering a SIGSEGV and crashing the process (GitHub Commit, GHSA).

Indicadores de compromisso

  • Process: Python process terminating unexpectedly with a SIGSEGV (signal 11) or Segmentation fault message in system logs, originating from a msgpack deserialization call.
  • Logs: Application error logs showing repeated ValueError, FormatError, or StackError exceptions from msgpack.Unpacker, followed by an abrupt process exit without a clean Python traceback.
  • Network: Unusual or malformed MessagePack payloads received on application input channels, particularly those containing fixmap structures with non-string keys (e.g., raw bytes like \x83\x73\xc4\x00).

Mitigação e soluções alternativas

Upgrade the msgpack pip package to v1.2.1, which includes the fix for this vulnerability (msgpack Release). As a workaround for users who cannot upgrade immediately, always create a new Unpacker instance rather than reusing an existing one after any exception is caught during unpacking. Note that even with the patch applied, reusing a Streaming Unpacker after an error will not yield correct data — discarding the stream and unpacker on error is the correct design pattern regardless (GHSA).

Recursos adicionais


OrigemEste relatório foi gerado usando IA

Relacionado Python Vulnerabilidades:

CVE ID

Gravidade

Pontuação

Tecnologias

Nome do componente

Exploração do CISA KEV

Tem correção

Data de publicação

CVE-2026-57585HIGH7.5
  • Python logoPython
  • python-pip
NãoSimJun 30, 2026
CVE-2026-12243HIGH7.5
  • Python logoPython
  • nltk
NãoNãoJun 30, 2026
CVE-2026-49986HIGH7.1
  • Python logoPython
  • neuro-cortex-memory
NãoSimJul 01, 2026
CVE-2026-57204MEDIUM6.9
  • Python logoPython
  • pypdf
NãoSimJun 30, 2026
GHSA-75mw-h36v-2jv7MEDIUM6.1
  • Python logoPython
  • dosage
NãoSimJun 26, 2026

Avaliação de vulnerabilidade gratuita

Compare sua postura de segurança na nuvem

Avalie suas práticas de segurança na nuvem em 9 domínios de segurança para comparar seu nível de risco e identificar lacunas em suas defesas.

Solicitar avaliação

Marque uma demonstração personalizada

Pronto para ver a Wiz em ação?

"A melhor experiência do usuário que eu já vi, fornece visibilidade total para cargas de trabalho na nuvem."
David EstlickCISO
"A Wiz fornece um único painel de vidro para ver o que está acontecendo em nossos ambientes de nuvem."
Adão FletcherDiretor de Segurança
"Sabemos que se a Wiz identifica algo como crítico, na verdade é."
Greg PoniatowskiChefe de Gerenciamento de Ameaças e Vulnerabilidades