Intel

AIKIDO-2026-347960

kernels is vulnerable to Download of Code Without Integrity Check

Download of Code Without Integrity Check Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jun 30, 2026

60

Medium Risk

This Affects:

PYTHONkernels
0.1.7 - 0.15.2
Fixed in 0.16.0
Are you affected? Scan for Free

TL;DR

The kernels library downloads compute kernel repositories from the Hub and imports their Python modules at runtime. Affected versions download .pyc and __pycache__ bytecode files that are excluded from the lockfile and digest integrity hashes, so this bytecode is never covered by integrity verification. An attacker who publishes or tampers with a kernel repository can smuggle malicious Python bytecode that runs when the kernel is imported while the source files still pass hash checks, leading to arbitrary code execution. The fix stops downloading bytecode files and includes any stray top-level .pyc files in the digest.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and you load kernels from a repository that an attacker can publish to or modify.

Background info

kernels is vulnerable to Download of Code Without Integrity Check in versions 0.1.7 - 0.15.2.

How to fix this

Upgrade the kernels library to the patch version.