Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a denial of service in cbor2 [CVE-2026-26209]

Summary IBM Watson Speech Services Cartridge is vulnerable to adenial of service in cbor2, caused by uncontrolled recursion when decoding deeply nested CBOR structures CVE-2026-26209. Cbor2 is used in our speech runtimes. This vulnerabilitiy has been addressed. Please read the details for...

Linux Distros Unpatched Vulnerability : CVE-2026-26209

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - cbor2 provides encoding and decoding for the Concise Binary Object Representation CBOR serialization format. Versions prior to 5.9.0 are vulnerable to a Denial ...

ai-box-lib (>=0.1.0 <=0.1.9), aligned-py (>=0.1.0 <=0.2.0a0) +99 more potentially affected by CVE-2026-26209 via cbor2 (>=4.1.2 <=5.8.0)

cbor2 PYPI version =4.1.2, =0.1.0, =0.1.0, =0.7.0, =0.13.0, =0.0.1, =0.5.5.post5, =0.5.5.post4, =0.1.1, =0.1.0, =0.2.0, =0.10.6, =0.7.1a0, =1.0.7 and more Source cves: CVE-2026-26209 Source advisory: OSV:GHSA-3C37-WWVX-H642...

CVE-2026-26209

cbor2 provides encoding and decoding for the Concise Binary Object Representation CBOR serialization format. Versions prior to 5.9.0 are vulnerable to a Denial of Service DoS attack caused by uncontrolled recursion when decoding deeply nested CBOR structures. This vulnerability affects both the...

CVE-2026-26209

cbor2 provides encoding and decoding for the Concise Binary Object Representation CBOR serialization format. Versions prior to 5.9.0 are vulnerable to a Denial of Service DoS attack caused by uncontrolled recursion when decoding deeply nested CBOR structures. This vulnerability affects both the...

ai-box-lib (>=0.1.0 <=0.1.9), aligned-py (>=0.1.0 <=0.2.0a0) +91 more potentially affected by CVE-2026-26209 via cbor2 (>=5.0.1 <=5.8.0)

cbor2 PYPI version =5.0.1, =0.1.0, =0.1.0, =0.7.0, =0.13.0, =0.0.1, =0.5.5.post5, =0.5.5.post4, =0.1.1, =0.1.0, =0.2.0, =0.10.6, =0.7.1a0, =1.0.7 and more Source cves: CVE-2026-26209 Source advisory: SNYK:PYTHON-CBOR2-15762225...

ai-box-lib (>=0.1.0 <=0.1.9), aligned-py (>=0.1.0 <=0.2.0a0) +89 more potentially affected by CVE-2025-68131 via cbor2 (>=5.0.1 <=5.7.1)

cbor2 PYPI version =5.0.1, =0.1.0, =0.1.0, =0.7.0, =0.13.0, =0.0.1, =0.5.5.post5, =0.5.5.post4, =0.1.1, =0.1.0, =0.2.0, =0.10.6, =0.7.1a0, =1.0.7 and more Source cves: CVE-2025-68131 Source advisory: SNYK:PYTHON-CBOR2-14742478...

ai-box-lib (>=0.1.0 <=0.1.9), aligned-py (>=0.1.0 <=0.2.0a0) +97 more potentially affected by CVE-2025-68131 via cbor2 (>=4.1.2 <=5.7.1)

cbor2 PYPI version =4.1.2, =0.1.0, =0.1.0, =0.7.0, =0.13.0, =0.0.1, =0.5.5.post5, =0.5.5.post4, =0.1.1, =0.1.0, =0.2.0, =0.10.6, =0.7.1a0, =1.0.7 and more Source cves: CVE-2025-68131 Source advisory: OSV:PYSEC-2025-90...

PYSEC-2025-90

cbor2 provides encoding and decoding for the Concise Binary Object Representation CBOR serialization format. Starting in version 3.0.0 and prior to version 5.8.0, whhen a CBORDecoder instance is reused across multiple decode operations, values marked with the shareable tag 28 persist in memory an...

ai-box-lib (>=0.1.0 <=0.1.9), aligned-py (>=0.1.0 <=0.2.0a0) +82 more potentially affected by CVE-2025-64076 via cbor2 (>=5.0.1 <=5.7.0)

cbor2 PYPI version =5.0.1, =0.1.0, =0.1.0, =0.7.0, =0.13.0, =0.0.1, =0.5.5.post5, =0.5.5.post4, =0.1.1, =0.1.0, =0.1.0, =2.0.1, =4.2.13 and more Source cves: CVE-2025-64076 Source advisory: SNYK:PYTHON-CBOR2-14049181...

Linux Distros Unpatched Vulnerability : CVE-2025-64076

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Multiple vulnerabilities exist in cbor2 through version 5.7.0 in the decodedefinitelongstring function of the C extension decoder source/decoder.c: 1 Integer...

PT-2025-47374

Name of the Vulnerable Software and Affected Versions cbor2 versions through 5.7.0 Description The cbor2 software contains issues in the decode definite long string function within the C extension decoder source/decoder.c. An integer underflow can lead to an out-of-bounds read, and a memory leak...

antimatter (=0.1.3), arcaflow-plugin-sdk (=0.13.0) +3 more potentially affected by CVE-2024-26134 via cbor2 (>=5.5.1 <=5.6.1)

cbor2 PYPI version =5.5.1, =0.1.0, =1.20.0, =0.0.2, =0.0.6 Source cves: CVE-2024-26134 Source advisory: OSV:GHSA-375G-39JQ-VQ7M...

antimatter (=0.1.3), arcaflow-plugin-sdk (=0.13.0) +3 more potentially affected by CVE-2024-26134 via cbor2 (>=5.5.1 <=5.6.1)

cbor2 PYPI version =5.5.1, =0.1.0, =1.20.0, =0.0.2, =0.0.6 Source cves: CVE-2024-26134 Source advisory: OSV:PYSEC-2024-155...