cbor2 Denial of Service via Uncontrolled Recursion
The cbor2 library is vulnerable to a Denial of Service (DoS) attack due to uncontrolled recursion when decoding deeply nested CBOR structures, allowing a remote attacker to crash worker processes with crafted CBOR payloads.
The cbor2 library, versions 5.8.0 and earlier, is susceptible to a Denial of Service (DoS) attack stemming from uncontrolled recursion during the decoding of deeply nested CBOR structures. This affects both the pure Python implementation and the C extension (_cbor2). While the C extension uses Py_EnterRecursiveCall for recursion protection, the resulting RecursionError can terminate the service process in certain environments if not properly handled. An attacker can exploit this by sending a crafted CBOR payload containing thousands of nested arrays (e.g., 0x81). When cbor2.loads() attempts to parse this malicious input, it exceeds the interpreter's recursion limit, leading to a RecursionError and subsequent process termination. This vulnerability allows for a low-bandwidth DoS, as payloads under 100KB can reliably crash worker processes faster than they can be restarted, causing a sustained outage.
Attack Chain
- The attacker crafts a malicious CBOR payload with deeply nested arrays, such as
b'\x81' * DEPTH + b'\x01'where DEPTH is a large number like 1000. - The attacker sends the crafted CBOR payload to an application that utilizes the
cbor2library for decoding CBOR data. - The
cbor2.loads()function is called to decode the received CBOR payload. - The
CBORDecoder.decode()method is invoked, which reads the initial byte and dispatches control to a handler based on the major type (Array in this case). - The
decode_arraymethod iterates through the elements specified in the CBOR header, recursively callingself.decode()for each element. - Due to the deep nesting, the recursive calls to
self.decode()exceed the interpreter's recursion limit. - A
RecursionErroris raised, but may not be properly caught by the application. - The worker process terminates, resulting in a Denial of Service. An attacker can repeatedly send these small packets to sustain the denial of service.
Impact
This vulnerability impacts applications that use cbor2 to parse untrusted data, potentially leading to a complete Denial of Service. Affected applications include those dealing with IoT data processing, WebAuthn (FIDO2) authentication flows, and inter-service communication over COSE. A successful attack allows a remote, unauthenticated attacker to repeatedly crash worker processes using small CBOR payloads (under 100KB), causing a sustained outage.
Recommendation
- Upgrade to a patched version of
cbor2greater than 5.8.0 to remediate CVE-2026-26209. - Implement input validation and sanitization to limit the depth of CBOR structures being processed by
cbor2.loads()to prevent uncontrolled recursion. - Monitor application logs for
RecursionErrorexceptions originating fromcbor2to detect potential exploitation attempts. - Deploy the provided Sigma rule to detect processes crashing due to
RecursionErrororiginating from the cbor2 library. - Implement rate limiting and request size limits for services parsing CBOR data to mitigate the impact of DoS attacks.
Detection coverage 2
Detect cbor2 RecursionError in Logs
highDetects RecursionError exceptions in application logs potentially caused by the cbor2 vulnerability.
Detect cbor2 process crash due to RecursionError
criticalDetects process crash events where the process exits with a RecursionError related to cbor2
Detection queries are available on the platform. Get full rules →