<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Recursion-Error - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/recursion-error/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 02 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/recursion-error/feed.xml" rel="self" type="application/rss+xml"/><item><title>cbor2 Denial of Service via Uncontrolled Recursion</title><link>https://feed.craftedsignal.io/briefs/2024-01-cbor2-dos/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-cbor2-dos/</guid><description>The cbor2 library is vulnerable to a Denial of Service (DoS) attack due to uncontrolled recursion when decoding deeply nested CBOR structures, allowing a remote attacker to crash worker processes with crafted CBOR payloads.</description><content:encoded><![CDATA[<p>The <code>cbor2</code> library, versions 5.8.0 and earlier, is susceptible to a Denial of Service (DoS) attack stemming from uncontrolled recursion during the decoding of deeply nested CBOR structures. This affects both the pure Python implementation and the C extension (<code>_cbor2</code>). While the C extension uses <code>Py_EnterRecursiveCall</code> for recursion protection, the resulting <code>RecursionError</code> can terminate the service process in certain environments if not properly handled. An attacker can exploit this by sending a crafted CBOR payload containing thousands of nested arrays (e.g., <code>0x81</code>). When <code>cbor2.loads()</code> attempts to parse this malicious input, it exceeds the interpreter's recursion limit, leading to a <code>RecursionError</code> and subsequent process termination. This vulnerability allows for a low-bandwidth DoS, as payloads under 100KB can reliably crash worker processes faster than they can be restarted, causing a sustained outage.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker crafts a malicious CBOR payload with deeply nested arrays, such as <code>b'\x81' * DEPTH + b'\x01'</code> where DEPTH is a large number like 1000.</li>
<li>The attacker sends the crafted CBOR payload to an application that utilizes the <code>cbor2</code> library for decoding CBOR data.</li>
<li>The <code>cbor2.loads()</code> function is called to decode the received CBOR payload.</li>
<li>The <code>CBORDecoder.decode()</code> method is invoked, which reads the initial byte and dispatches control to a handler based on the major type (Array in this case).</li>
<li>The <code>decode_array</code> method iterates through the elements specified in the CBOR header, recursively calling <code>self.decode()</code> for each element.</li>
<li>Due to the deep nesting, the recursive calls to <code>self.decode()</code> exceed the interpreter's recursion limit.</li>
<li>A <code>RecursionError</code> is raised, but may not be properly caught by the application.</li>
<li>The worker process terminates, resulting in a Denial of Service. An attacker can repeatedly send these small packets to sustain the denial of service.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>This vulnerability impacts applications that use <code>cbor2</code> to parse untrusted data, potentially leading to a complete Denial of Service. Affected applications include those dealing with IoT data processing, WebAuthn (FIDO2) authentication flows, and inter-service communication over COSE. A successful attack allows a remote, unauthenticated attacker to repeatedly crash worker processes using small CBOR payloads (under 100KB), causing a sustained outage.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade to a patched version of <code>cbor2</code> greater than 5.8.0 to remediate CVE-2026-26209.</li>
<li>Implement input validation and sanitization to limit the depth of CBOR structures being processed by <code>cbor2.loads()</code> to prevent uncontrolled recursion.</li>
<li>Monitor application logs for <code>RecursionError</code> exceptions originating from <code>cbor2</code> to detect potential exploitation attempts.</li>
<li>Deploy the provided Sigma rule to detect processes crashing due to <code>RecursionError</code> originating from the cbor2 library.</li>
<li>Implement rate limiting and request size limits for services parsing CBOR data to mitigate the impact of DoS attacks.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>cbor2</category><category>denial-of-service</category><category>recursion-error</category><category>python</category></item></channel></rss>