Ray: Remote Code Execution via Parquet Arrow Extension Type Deserialization

8.9 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Description

Ray is an AI compute engine. From version 2.54.0 to before version 2.55.0, Ray Data registers custom Arrow extension types (ray.data.arrow_tensor, ray.data.arrow_tensor_v2, ray.data.arrow_variable_shaped_tensor) globally in PyArrow. When PyArrow reads a Parquet file containing one of these extension types, it calls __arrow_ext_deserialize__ on the field's metadata bytes. Ray's implementation passes these bytes directly to cloudpickle.loads(), achieving arbitrary code execution during schema parsing, before any row data is read. This issue has been patched in version 2.55.0.

AI Analysis

Remote code execution via Parquet Arrow extension type deserialization

Basic Information

ID CVE-2026-41486

Source GitHub_M

Published May 8, 2026 at 21:46

Affected Product

Vendor ray-project

Product ray

Version >= 2.54.0, < 2.55.0

Affected Versions ray-project ray >= 2.54.0, < 2.55.0

CWE Classification

CWE-94 CWE-502

AI Assessment

AI Score 8.9 / 10

AI Severity High

Vendor Ray Project

Product Ray

Version 2.54.0 to 2.55.0

References

{
    "lastseen": "",
    "description": "Ray is an AI compute engine. From version 2.54.0 to before version 2.55.0, Ray Data registers custom Arrow extension types (ray.data.arrow_tensor, ray.data.arrow_tensor_v2, ray.data.arrow_variable_shaped_tensor) globally in PyArrow. When PyArrow reads a Parquet file containing one of these extension types, it calls __arrow_ext_deserialize__ on the field's metadata bytes. Ray's implementation passes these bytes directly to cloudpickle.loads(), achieving arbitrary code execution during schema parsing, before any row data is read. This issue has been patched in version 2.55.0.",
    "published": "2026-05-08T21:46:14.442Z",
    "modified": "2026-05-08T21:46:14.442Z",
    "type": "cve",
    "title": "Ray: Remote Code Execution via Parquet Arrow Extension Type Deserialization",
    "source": "GitHub_M",
    "references": "https://github.com/ray-project/ray/security/advisories/GHSA-mw35-8rx3-xf9r\nhttps://github.com/ray-project/ray/pull/62056\nhttps://github.com/ray-project/ray/commit/c02bd31ae31996805868baa446a131a8d304525f\nhttps://github.com/ray-project/ray/releases/tag/ray-2.55.0",
    "id": "CVE-2026-41486",
    "bulletinFamily": "",
    "cwe": [
        "CWE-94",
        "CWE-502"
    ],
    "cvelist": null,
    "sourceData": "ray-project ray >= 2.54.0, < 2.55.0",
    "sourceHref": "",
    "cvss": {
        "score": 8.9,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "ray",
    "version": ">= 2.54.0, < 2.55.0",
    "vendor": "ray-project",
    "ai_description": "Remote code execution via Parquet Arrow extension type deserialization",
    "ai_severity": "High",
    "ai_vendor": "Ray Project",
    "ai_product": "Ray",
    "ai_version": "2.54.0 to 2.55.0",
    "ai_score": 8.9
}

Ray: Remote Code Execution via Parquet Arrow Extension Type Deserialization_CVE-2026-41486