Login Sign Up

CVE-2024-26134

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability in the cbor2 Python library allows attackers to cause denial-of-service by sending specially crafted CBOR objects that trigger excessive memory consumption. Services using cbor2 versions 5.5.1 through 5.6.1 for parsing untrusted CBOR data are affected. The vulnerability can crash applications that process CBOR input from external sources.

💻 Affected Systems

Products:
  • cbor2 Python library
Versions: 5.5.1 through 5.6.1 inclusive
Operating Systems: All operating systems where cbor2 is installed
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems where cbor2 is used to parse untrusted CBOR input. Systems using cbor2 only for serialization or with trusted data sources are not vulnerable.

📦 What is this software?

Cbor2 by Agronholm

View all CVEs affecting Cbor2 →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage through resource exhaustion, potentially affecting multiple dependent services in a chain.

🟠

Likely Case

Service crashes or becomes unresponsive when processing malicious CBOR payloads, requiring restart.

🟢

If Mitigated

Limited impact with proper input validation and resource limits in place, though service may still experience degraded performance.

🌐 Internet-Facing: HIGH - Any service accepting CBOR input from untrusted sources is vulnerable to DoS attacks.
🏢 Internal Only: MEDIUM - Internal services processing CBOR from trusted sources have lower risk but could still be affected by malicious insiders or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The advisory includes example payloads. Exploitation requires sending CBOR data to a vulnerable endpoint, making it easy to weaponize for DoS attacks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.6.2

Vendor Advisory: https://github.com/agronholm/cbor2/security/advisories/GHSA-375g-39jq-vq7m

Restart Required: Yes

Instructions:

1. Update cbor2 using pip: 'pip install --upgrade cbor2==5.6.2' 2. Restart all services using cbor2 3. Verify the update with 'pip show cbor2'

🔧 Temporary Workarounds

Input size limiting

all

Implement size limits on incoming CBOR data before parsing

# Python example: check data size before parsing
if len(cbor_data) > MAX_ALLOWED_SIZE:
    raise ValueError('CBOR data too large')

Resource limits

linux

Use resource limits or timeouts when parsing CBOR data

# Python example with timeout
import signal
class TimeoutException(Exception):
    pass
def timeout_handler(signum, frame):
    raise TimeoutException()
signal.signal(signal.SIGALRM, timeout_handler)
signal.alarm(5)  # 5 second timeout
try:
    result = cbor2.loads(data)
finally:
    signal.alarm(0)

🧯 If You Can't Patch

  • Implement strict input validation and size limits on all CBOR parsing endpoints
  • Deploy network-level protections like WAF rules to block suspicious CBOR payloads

🔍 How to Verify

Check if Vulnerable:

Check cbor2 version with 'pip show cbor2' or 'python -c "import cbor2; print(cbor2.__version__)"' and verify it's between 5.5.1 and 5.6.1 inclusive.

Check Version:

python -c "import cbor2; print(cbor2.__version__)"

Verify Fix Applied:

Confirm version is 5.6.2 or higher with 'pip show cbor2' and test with known malicious payloads from the advisory.

📡 Detection & Monitoring

Log Indicators:

  • Application crashes or restarts after processing CBOR data
  • Memory usage spikes in cbor2 parsing functions
  • Timeout errors in CBOR processing endpoints

Network Indicators:

  • Large CBOR payloads sent to vulnerable endpoints
  • Repeated CBOR requests causing service degradation

SIEM Query:

source="application.logs" AND ("cbor2" OR "CBOR") AND ("crash" OR "memory" OR "timeout" OR "restart")

📊 Metadata

CVE ID: CVE-2024-26134
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-120
Published: February 19, 2024
Last Updated: January 2, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-26134, you might also want to check these:

CVE-2023-24482 10.0

This CVE describes a critical buffer overflow vulnerability in COMOS software's cache validation ser...

Same vulnerability type (CWE-120)
CVE-2024-22039 10.0

This vulnerability allows unauthenticated remote attackers to execute arbitrary code with root privi...

Same vulnerability type (CWE-120)
CVE-2022-22570 10.0

A buffer overflow vulnerability in UniFi Door Access Reader Lite firmware allows attackers with netw...

Same vulnerability type (CWE-120)