The CVE-2024-26134 vulnerability pertains to the cbor2 library, a tool offering encoding and decoding for the Concise Binary Object Representation (CBOR) serialization format as per RFC 8949. In versions 5.5.1 and prior, an attacker can potentially crash a service utilizing cbor2 by sending an excessively long object during CBOR binary parsing. The severity of this issue is rated as high, with a CVSS 3.x Base Score of 7.5.
To mitigate this vulnerability, users are strongly advised to update their cbor2 library to version 5.6.2, which includes a patch specifically addressing this identified flaw. However, it’s important to note that the severity and risk associated with this vulnerability are contingent on the specific use case and environment in which cbor2 is employed. Security professionals and administrators should evaluate the impact on their systems and prioritize the update accordingly.
For more detailed information and the patch implementation, users can refer to the associated GitHub commit here. As this vulnerability is currently awaiting analysis, users should remain vigilant for any further updates or advisories from the cbor2 library maintainers.
Reference: