CVE-2026-49854

NameCVE-2026-49854
DescriptionTornado is a Python web framework and asynchronous networking library. Prior to 6.5.6, the optional native extension tornado.speedups implemented websocket_mask without validating that the mask argument is exactly four bytes, allowing the C function to read up to three bytes beyond the provided buffer when reached through Tornado XSRF token decoding with the native extension active. This issue is fixed in version 6.5.6.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-tornado (PTS)bullseye6.1.0-1vulnerable
bullseye (security)6.1.0-1+deb11u4vulnerable
bookworm, bookworm (security)6.2.0-3+deb12u4vulnerable
trixie (security), trixie6.4.2-3+deb13u2vulnerable
forky, sid6.5.5-4vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-tornadosource(unstable)(unfixed)

Notes

https://github.com/tornadoweb/tornado/security/advisories/GHSA-cx3h-4qpv-8hc9
Fixed by: https://github.com/tornadoweb/tornado/commit/96dc88c2a05705287856b2cd6b4b4034f9a6aaac (v6.5.6)

Search for package or bug name: Reporting problems