CVE-2026-41486
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Summary
Ray is an AI compute engine. From version 2.54.0 to before version 2.55.0, Ray Data registers custom Arrow extension types (ray.data.arrow_tensor, ray.data.arrow_tensor_v2, ray.data.arrow_variable_shaped_tensor) globally in PyArrow. When PyArrow reads a Parquet file containing one of these extension types, it calls arrow_ext_deserialize on the field's metadata bytes. Ray's implementation passes these bytes directly to cloudpickle.loads(), achieving arbitrary code execution during schema parsing, before any row data is read. This issue has been patched in version 2.55.0.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| ray-project | ray | >= 2.54.0, < 2.55.0 | affected |
Weaknesses
- CWE-94: CWE-94: Improper Control of Generation of Code ('Code Injection')
- CWE-502: CWE-502: Deserialization of Untrusted Data
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: total
References
- https://github.com/ray-project/ray/security/advisories/GHSA-mw35-8rx3-xf9r
- https://github.com/ray-project/ray/pull/62056
- https://github.com/ray-project/ray/commit/c02bd31ae31996805868baa446a131a8d304525f
- https://github.com/ray-project/ray/releases/tag/ray-2.55.0
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.