Intel

AIKIDO-2026-542208

dbus-fast is vulnerable to Denial of Service (DoS)

Denial of Service (DoS) Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published 3 days ago

41

Medium Risk

This Affects:

PYTHONdbus-fast
1.0.0 - 5.0.1
Fixed in 5.0.2
Are you affected? Scan for Free

TL;DR

The introspection XML parser in introspection.py recursively parses nested <node> elements via Node.from_xml without bounding the recursion depth. Introspection XML is parsed from the reply to an org.freedesktop.DBus.Introspectable.Introspect call, so a hostile or buggy peer can return a document with deeply nested <node> elements and exhaust the Python (or C) stack, crashing the consuming process. The fix routes parsing through Node._from_xml with a depth counter and raises InvalidIntrospectionError once nesting exceeds _MAX_NODE_DEPTH (32).

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

dbus-fast is vulnerable to Denial of Service (DoS) in versions 1.0.0 - 5.0.1.

How to fix this

Upgrade the dbus-fast library to the patch version.