Summary
MessagePack for Python (the `msgpack` package) has an out-of-bounds read in versions up to and including 1.2.0. If an `Unpacker` is reused after it has raised and caught an error, it can read out of bounds and crash the process with a segmentation fault. Code that streams untrusted MessagePack through a single long-lived `Unpacker` can therefore be crashed on demand, a denial-of-service risk.
How to fix it
- Upgrade `msgpack` to 1.2.1 or later, which fixes the out-of-bounds read.
- Until you can upgrade, never reuse an `Unpacker` after it has raised an error: discard it and create a new one.
- Treat any stream that has already hit an unpacking error as untrustworthy and stop reading from it.
How to avoid it in your code
- Create a fresh deserializer per message (or at least per error) when parsing untrusted binary input; do not carry a stateful parser across an error boundary.
- Put size and resource limits around deserialization of untrusted data, and isolate it so a crash cannot take down a shared process.
- Keep serialization libraries patched and subscribe to advisories for any format you parse at a network boundary.
References
Related vulnerabilities
All Supply chain →- MEDIUMCVE-2026-11941
Cloudflare Quiche: Use-after-free in connection ID iterator FFI functions
- HIGHCVE-2026-52801
Gogs has the ability to import local repositories via Mirror Settings
- HIGHCVE-2026-52800
Gogs Vulnerable to CSRF Leading to Organization Owner Takeover
- HIGHCVE-2026-52799
Gogs Missing Authorization in Attachment Download
- HIGHCVE-2026-52798
Gogs has Stored XSS in `.ipynb` Preview
- MEDIUMCVE-2026-50179
@actual-app/web has CSV Formula Injection in Transaction Export via Imported Payee/Notes Fields