CVE-2026-57585
Public on 2026-06-30
Modified on 2026-07-02
Description
MessagePack is the serializer implementation for Python msgpack.org. Prior to 1.2.1, there is an Out-of-bounds read/crash on Unpacker reuse after a caught error, potentially leading to a DoS attack. If the Unpacker is used repeatedly after an error occurs, the process may crash with a SEGV. This issue has been fixed in version 1.2.1.
Severity
See what this means
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Core | python-pip | Not Affected | ||
| Amazon Linux 2023 | python-pip | Not Affected | ||
| Amazon Linux 2023 | python-u-msgpack-python | Not Affected | ||
| Amazon Linux 2023 | python3.11-pip | Not Affected | ||
| Amazon Linux 2023 | python3.12-pip | Not Affected | ||
| Amazon Linux 2023 | python3.13-pip | Not Affected | ||
| Amazon Linux 2023 | python3.14-pip | Not Affected |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |