CVE-2026-41486

EPSS 0.47%
Veröffentlicht 08.05.2026 21:46:14
Zuletzt bearbeitet 18.05.2026 18:30:53
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Ray: Remote Code Execution via Parquet Arrow Extension Type Deserialization

Ray is an AI compute engine. From version 2.54.0 to before version 2.55.0, Ray Data registers custom Arrow extension types (ray.data.arrow_tensor, ray.data.arrow_tensor_v2, ray.data.arrow_variable_shaped_tensor) globally in PyArrow. When PyArrow reads a Parquet file containing one of these extension types, it calls __arrow_ext_deserialize__ on the field's metadata bytes. Ray's implementation passes these bytes directly to cloudpickle.loads(), achieving arbitrary code execution during schema parsing, before any row data is read. This issue has been patched in version 2.55.0.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 7

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Anyscale ≫ Ray Version2.54.0

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.47%	0.371

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
security-advisories@github.com	8.9	0	0	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

https://github.com/ray-project/ray/security/advisories/GHSA-mw35-8rx3-xf9r

Vendor Advisory

https://github.com/ray-project/ray/pull/62056

Patch

Issue Tracking

https://github.com/ray-project/ray/commit/c02bd31ae31996805868baa446a131a8d304525f

Patch

https://github.com/ray-project/ray/releases/tag/ray-2.55.0

Product

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2026-41486

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-41486

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-41486

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-41486