{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/uproot/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-9147"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["uproot"],"_cs_severities":["high"],"_cs_tags":["vulnerability","rce","python","code-execution"],"_cs_type":"advisory","_cs_vendors":["uproot project"],"content_html":"\u003cp\u003eA critical vulnerability, tracked as CVE-2026-9147, has been identified in the \u003ccode\u003euproot\u003c/code\u003e Python library, which is used for reading and writing ROOT files. \u003ccode\u003euproot\u003c/code\u003e dynamically generates and compiles Python class source code at runtime from ROOT \u003ccode\u003eTStreamerInfo\u003c/code\u003e records found within these files. The vulnerability arises because certain file-controlled streamer metadata fields, such as streamer element names, are directly interpolated into the generated Python source code without proper safe quoting mechanisms like \u003ccode\u003erepr()\u003c/code\u003e or the \u003ccode\u003e!r\u003c/code\u003e format specifier. An attacker can exploit this by crafting a malicious ROOT file containing Python expression-breaking content within a streamer metadata field. When an application utilizes \u003ccode\u003euproot\u003c/code\u003e to open or process such a file, the injected Python expression is evaluated in the context of the running process, leading to arbitrary Python code execution. This poses a significant risk to applications that process untrusted ROOT files, enabling attackers to fully compromise the host system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious ROOT file containing specially malformed \u003ccode\u003eTStreamerInfo\u003c/code\u003e records.\u003c/li\u003e\n\u003cli\u003eWithin these \u003ccode\u003eTStreamerInfo\u003c/code\u003e records, the attacker embeds Python expression-breaking content into streamer metadata fields, such as streamer element names.\u003c/li\u003e\n\u003cli\u003eThe attacker delivers this crafted ROOT file to a victim, potentially through email, download, or by placing it in a shared repository.\u003c/li\u003e\n\u003cli\u003eA victim's application, which uses the \u003ccode\u003euproot\u003c/code\u003e library, attempts to open or process the malicious ROOT file.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003euproot\u003c/code\u003e dynamically generates Python class source code based on the \u003ccode\u003eTStreamerInfo\u003c/code\u003e records, interpolating the attacker-controlled metadata fields directly into the source.\u003c/li\u003e\n\u003cli\u003eDue to the lack of safe quoting, the injected Python expression-breaking content becomes part of the generated Python code.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003euproot\u003c/code\u003e compiles and invokes the corresponding reader method, causing the injected Python expression to be evaluated.\u003c/li\u003e\n\u003cli\u003eArbitrary Python code is executed on the victim's system with the privileges of the affected application, leading to full system compromise or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-9147 results in arbitrary Python code execution on the system processing the malicious ROOT file. This allows an attacker to take complete control of the affected application and potentially the underlying operating system. The specific damage could range from data theft and modification to the installation of additional malware, remote access tools, or complete system compromise. Organizations processing ROOT files from untrusted sources, particularly in scientific research, data analysis, or high-energy physics domains, are at risk. No specific victim counts or targeted sectors are provided, but any application using \u003ccode\u003euproot\u003c/code\u003e to handle external ROOT files is potentially vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-9147 by upgrading the \u003ccode\u003euproot\u003c/code\u003e library to a version that addresses this vulnerability immediately across all affected systems.\u003c/li\u003e\n\u003cli\u003eImplement strict validation and sanitization for all ROOT files ingested from untrusted or external sources to prevent the processing of malicious content.\u003c/li\u003e\n\u003cli\u003eReduce the attack surface by limiting the types of files applications can process and ensuring \u003ccode\u003euproot\u003c/code\u003e-using applications run with the least necessary privileges.\u003c/li\u003e\n\u003cli\u003eMonitor process creation logs for unusual Python script executions originating from applications that typically process data files, which could indicate exploitation of CVE-2026-9147.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-18T13:18:30Z","date_published":"2026-07-18T13:18:30Z","id":"https://feed.craftedsignal.io/briefs/2026-07-uproot-rce/","summary":"A vulnerability, CVE-2026-9147, in the uproot library allows arbitrary Python code execution when processing crafted ROOT files due to improper handling of streamer metadata fields during dynamic code generation, impacting applications that open or process untrusted ROOT files.","title":"Arbitrary Code Execution in uproot via Crafted ROOT Files (CVE-2026-9147)","url":"https://feed.craftedsignal.io/briefs/2026-07-uproot-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Uproot","version":"https://jsonfeed.org/version/1.1"}