CVE-2026-57585
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk20th percentile — higher than 20% of all known CVEs
Summary
A vulnerability in the MessagePack library for Python allows out-of-bounds read and process crash when reusing an Unpacker object after an error. The issue is fixed in version 1.2.1.
Risk Assessment
An attacker can cause a denial of service (DoS) by repeatedly using the Unpacker after an error, leading to a segfault and service disruption.
Recommendation
Immediately update the MessagePack library to version 1.2.1 or later. Avoid reusing the Unpacker object after an error occurs.
Original NVD description (English source)
MessagePack is the serializer implementation for Python msgpack.org. Prior to 1.2.1, there is an Out-of-bounds read/crash on Unpacker reuse after a caught error, potentially leading to a DoS attack. If the Unpacker is used repeatedly after an error occurs, the process may crash with a SEGV. This issue has been fixed in version 1.2.1.

