HIGH🇬🇧 English

CVE-2026-41486

CVSS 8.9v4.0pub. 2026-05-08upd. 2026-05-18

Ray is an AI compute engine. From version 2.54.0 to before version 2.55.0, Ray Data registers custom Arrow extension types (ray.data.arrow_tensor, ray.data.arrow_tensor_v2, ray.data.arrow_variable_shaped_tensor) globally in PyArrow. When PyArrow reads a Parquet file containing one of these extension types, it calls __arrow_ext_deserialize__ on the field's metadata bytes. Ray's implementation passes these bytes directly to cloudpickle.loads(), achieving arbitrary code execution during schema parsing, before any row data is read. This issue has been patched in version 2.55.0.

oryginał EN
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Anyscale Ray

    APP
    Anyscale
    2.54.0
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
Tagi
RCEDeserialization
CWE
Referencje

Powiązane podatności

CVE-2023-48022CRITICAL9.8PL ✓ten sam produkt

Anyscale Ray — RCE przez API przesyłania zadań (job submission API)

CVE-2023-48023CRITICAL9.1PL ✓ten sam produkt

SSRF w Anyscale Ray poprzez endpoint /log_proxy

CVE-2026-32981HIGH8.7ten sam produkt

A path traversal vulnerability was identified in Ray Dashboard (default port 8265) in Ray versions prior to 2....

CVE-2026-27482MEDIUM5.9ten sam produkt

Ray is an AI compute engine. In versions 2.53.0 and below, thedashboard HTTP server blocks browser-origin POST...

CVE-2026-41486 — HIGH 8.9 | CVEbaza.pl