Intel

AIKIDO-2026-239380

dbus-fast is vulnerable to Denial of Service (DoS)

Denial of Service (DoS) Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jul 2, 2026

57

Medium Risk

This Affects:

PYTHONdbus-fast
1.0.0 - 4.2.0
Fixed in 4.2.1
Are you affected? Scan for Free

TL;DR

dbus-fast parses D-Bus introspection XML returned by peers using the standard-library xml.etree.ElementTree parser, which expands internal XML entities. A hostile or unprivileged peer can answer an org.freedesktop.DBus.Introspectable.Introspect request with a tiny document that defines nested or repeatedly referenced entities, forcing the parser to expand it into gigabytes and exhaust process memory or CPU. Clients and daemons that automatically introspect peers appearing on the bus are exposed to this billion-laughs / quadratic-blowup denial of service. The fix routes introspection parsing through a custom pyexpat parser that rejects internal DTD subsets and disables parameter-entity parsing.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application introspects untrusted D-Bus peers.

Background info

dbus-fast is vulnerable to Denial of Service (DoS) in versions 1.0.0 - 4.2.0.

How to fix this

Upgrade the dbus-fast library to the patch version.