CVE-2026-26209

Summary

• The cbor2 library is vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding deeply nested CBOR structures.
• This vulnerability affects both the pure Python implementation and the C extension (_cbor2). The C extension correctly uses Python's C-API for recursion protection (Py_EnterRecursiveCall), but this mechanism is designed to prevent a stack overflow by raising a RecursionError. In some environments, this exception is not caught, thus causing the service process to terminate.
• While the library handles moderate nesting, it lacks a configurable, data-driven depth limit independent of Python's global recursion setting. An attacker can supply a crafted CBOR payload containing thousands of nested arrays (e.g., 0x81). When cbor2.loads() attempts to parse this, it hits the interpreter's recursion limit, causing the call to raise a RecursionError.
• By sending a stream of small (<100KB) malicious packets, an attacker can repeatedly crash worker processes faster than they can be restarted, resulting in a complete and sustained Denial of Service.

Details

• The vulnerability stems from the recursive design of the CBORDecoder class, specifically how it decodes nested container types like Arrays and Maps.
• Inside decode_array (and similarly decode_map), the decoder iterates through the number of elements specified in the CBOR header. For each element, it calls self.decode() again to parse the nested item. This recursive call lacks a depth-tracking mechanism.
• Vulnerable Code Locations:
• cbor2/decoder.py (Pure Python implementation)
• source/decoder.c (C extension implementation)
• Execution Flow:

1. The cbor2.loads() function initializes a CBORDecoder and calls its decode() method.
2. The decode() method reads the initial byte and dispatches control to a specific handler based on the major type. For an Array (Major Type 4), it calls decode_array.
3. decode_array loops and calls self.decode() for each item, leading to deep recursion when parsing a payload like [...[...[1]...]...].

PoC

import cbor2
DEPTH = 1000
payload = b'\x81' * DEPTH + b'\x01'
print(f"[*] Payload size: {len(payload) / 1024:.2f} KB")
print("[*] Triggering decoder...")
try:
    cbor2.loads(payload)
    print("[+] Parsed successfully (Not Vulnerable)")
except RecursionError:
    print("\n[!] VULNERABLE: RecursionError triggered!")
except Exception as e:
    print(f"\n[-] Unexpected Error: {type(e).__name__}: {e}")

Impact

• Scope: This vulnerability affects any application using cbor2 to parse untrusted data. Common use cases include IoT data processing, WebAuthn (FIDO2) authentication flows, and inter-service communication over COSE (CBOR Object Signing and Encryption).
• Attack Vector: A remote, unauthenticated attacker can achieve a full Denial of Service with a highly efficient, low-bandwidth attack. A payload under 100KB is sufficient to reliably terminate a Python worker process.

Credit

This issue was discovered by Kevin Tu of TMIR at ByteDance. The patch was developed by @agronholm.