Back to overview

CVE-2026-53877

MEDIUM
4.8
CVSS 3.1
Description
An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before 5.2.16. `django.contrib.gis.gdal.GDALRaster` over-reads its in-memory buffer when constructed from a bytes object, which can disclose adjacent memory or cause service degradation via a potential segmentation fault when the `vsi_buffer` property is accessed. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Bence Nagy for reporting this issue.

Metadata

CVE ID
CVE-2026-53877
State
PUBLISHED
Assigner
DSF
Reserved
2026-06-11 01:11 UTC
Published
2026-07-07 14:10 UTC
Last updated
2026-07-07 14:59 UTC
Primary CWE
CWE-805
CWE-805: Buffer Access with Incorrect Length Value
Vendor / Product
djangoproject / Django
Sources
cve.org  ·  NVD

Severity & Metrics

4.8 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
SSVC — CISA Coordinator
Exploitation
none
Automatable
no
Tech. Impact
partial
Affected products (1)
VendorProductPlatformVersions
djangoproject Django 6.0 < 6.0.7, 6.0.7, 5.2 < 5.2.16, 5.2.16
Weakness (CWE)
CWESourceDescription
CWE-805 cna CWE-805: Buffer Access with Incorrect Length Value
CVSS scores (2)
ScoreSeverityVersionSourceVector
6.3 MEDIUM 4.0 cna CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N
4.8 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
References (3)
Back to overview