CVE-2018-20406: pickle.load denial of service

A bug in pickle.load() function can cause memory exhaustion denial of service.

  • Disclosure date: 2018-09-13 (Python issue bpo-34656 reported)

Fixed In

Vulnerable Versions

  • Python 3.4
  • Python 3.5

Python issue

[CVE-2018-20406] memory exhaustion in Modules/_pickle.c:1393.

  • Python issue: bpo-34656
  • Creation date: 2018-09-13
  • Reporter: shuoz

CVE-2018-20406

Modules/_pickle.c in Python before 3.7.1 has an integer overflow via a large LONG_BINPUT value that is mishandled during a “resize to twice the size” attempt. This issue might cause memory exhaustion, but is only relevant if the pickle format is used for serializing tens or hundreds of gigabytes of data.

Timeline

Timeline using the disclosure date 2018-09-13 as reference: