Home

Description

Ray is an AI compute engine. From version 2.54.0 to before version 2.55.0, Ray Data registers custom Arrow extension types (ray.data.arrow_tensor, ray.data.arrow_tensor_v2, ray.data.arrow_variable_shaped_tensor) globally in PyArrow. When PyArrow reads a Parquet file containing one of these extension types, it calls __arrow_ext_deserialize__ on the field's metadata bytes. Ray's implementation passes these bytes directly to cloudpickle.loads(), achieving arbitrary code execution during schema parsing, before any row data is read. This issue has been patched in version 2.55.0.

PUBLISHED Reserved 2026-04-20 | Published 2026-05-08 | Updated 2026-05-08 | Assigner GitHub_M




HIGH: 8.9CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Problem types

CWE-94: Improper Control of Generation of Code ('Code Injection')

CWE-502: Deserialization of Untrusted Data

Product status

>= 2.54.0, < 2.55.0
affected

References

github.com/...ct/ray/security/advisories/GHSA-mw35-8rx3-xf9r

github.com/ray-project/ray/pull/62056

github.com/...ommit/c02bd31ae31996805868baa446a131a8d304525f

github.com/ray-project/ray/releases/tag/ray-2.55.0

cve.org (CVE-2026-41486)

nvd.nist.gov (CVE-2026-41486)

Download JSON