CVE-2026-57585

Publication date 30 June 2026

Last updated 1 July 2026


Ubuntu priority

Cvss 3 Severity Score

7.5 · High

Score breakdown

Description

MessagePack is the serializer implementation for Python msgpack.org. Prior to 1.2.1, there is an Out-of-bounds read/crash on Unpacker reuse after a caught error, potentially leading to a DoS attack. If the Unpacker is used repeatedly after an error occurs, the process may crash with a SEGV. This issue has been fixed in version 1.2.1.

Read the notes from the security team

Status

Package Ubuntu Release Status
python-msgpack 26.04 LTS resolute
Needs evaluation
25.10 questing
Needs evaluation
24.04 LTS noble
Needs evaluation
22.04 LTS jammy
Needs evaluation
20.04 LTS focal
Needs evaluation
18.04 LTS bionic
Needs evaluation
python-pip 26.04 LTS resolute
Needs evaluation
25.10 questing
Needs evaluation
24.04 LTS noble
Needs evaluation
22.04 LTS jammy
Needs evaluation
20.04 LTS focal
Needs evaluation
18.04 LTS bionic
Needs evaluation
14.04 LTS trusty
Needs evaluation
python-srsly 26.04 LTS resolute
Needs evaluation
25.10 questing
Needs evaluation
24.04 LTS noble
Needs evaluation
22.04 LTS jammy Not in release

Notes


mdeslaur

On focal and earlier, the python-pip package bundles python-msgpack binaries when built. After updating python-msgpack, a no-change rebuild of python-pip is required. On jammy and later, python-msgpack is bundled in the python-pip package and needs to be patched.


rodrigo-zaiden

python-srsly includes a fork of python-msgpack

Severity score breakdown

CVSS version: CVSS v3.0

Base score 7.5 · High

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H


Access our resources on patching vulnerabilities