UBUNTU-CVE-2026-33155

See a problem?
Please try reporting it to the source first.
Source
https://ubuntu.com/security/CVE-2026-33155
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33155.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-33155
Upstream
Published
2026-03-20T21:17:00Z
Modified
2026-05-20T16:25:24.264673978Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
  • Ubuntu - medium
Summary
[none]
Details

DeepDiff is a project focused on Deep Difference and search of any Python data. From version 5.0.0 to before version 8.6.2, the pickle unpickler RestrictedUnpickler validates which classes can be loaded but does not limit their constructor arguments. A few of the types in SAFETOIMPORT have constructors that allocate memory proportional to their input (builtins.bytes, builtins.list, builtins.range). A 40-byte pickle payload can force 10+ GB of memory, which crashes applications that load delta objects or call pickleload with untrusted data. This issue has been patched in version 8.6.2.

References

Affected packages

Ubuntu:20.04:LTS / deepdiff

Package

Name
deepdiff
Purl
pkg:deb/ubuntu/deepdiff?arch=source&distro=focal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*
3.3.0-1
3.3.0-2

Ecosystem specific 

{
    "binaries": [
        {
            "binary_name": "python3-deepdiff",
            "binary_version": "3.3.0-2"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33155.json"

Ubuntu:22.04:LTS / deepdiff

Package

Name
deepdiff
Purl
pkg:deb/ubuntu/deepdiff?arch=source&distro=jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*
3.3.0-2
3.3.0-2ubuntu1
3.3.0-3
5.*
5.6.0-2

Ecosystem specific 

{
    "binaries": [
        {
            "binary_name": "python3-deepdiff",
            "binary_version": "5.6.0-2"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33155.json"

Ubuntu:24.04:LTS / deepdiff

Package

Name
deepdiff
Purl
pkg:deb/ubuntu/deepdiff?arch=source&distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

6.*
6.2.2-1
6.7.1-1

Ecosystem specific 

{
    "binaries": [
        {
            "binary_name": "python3-deepdiff",
            "binary_version": "6.7.1-1"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33155.json"

Ubuntu:25.10 / deepdiff

Package

Name
deepdiff
Purl
pkg:deb/ubuntu/deepdiff?arch=source&distro=questing

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

8.*
8.1.1-3
8.1.1-4

Ecosystem specific 

{
    "binaries": [
        {
            "binary_name": "python3-deepdiff",
            "binary_version": "8.1.1-4"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33155.json"

Ubuntu:26.04:LTS / deepdiff

Package

Name
deepdiff
Purl
pkg:deb/ubuntu/deepdiff?arch=source&distro=resolute

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

8.*
8.1.1-4
8.6.1-1

Ecosystem specific 

{
    "binaries": [
        {
            "binary_name": "python3-deepdiff",
            "binary_version": "8.6.1-1"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33155.json"