Intel

AIKIDO-2026-59367

dbus-fast is vulnerable to Denial of Service (DoS)

Denial of Service (DoS) Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Yesterday

42

Medium Risk

This Affects:

PYTHONdbus-fast
1.0.0 - 4.2.4
Fixed in 4.2.5
Are you affected? Scan for Free

TL;DR

The pre-authentication line readers in the asyncio and GLib message bus backends read the D-Bus auth handshake into a buffer without any size cap and without handling a closed connection. A hostile peer that streams bytes without a terminating CRLF forces the buffer to grow until host memory is exhausted, and on the asyncio path an abrupt disconnect makes the reader spin on empty reads and hang. The fix caps the auth line at 16 KiB, reads in bounded chunks, and raises an AuthError when the peer sends EOF mid-handshake. Both _auth_readline and the GLib _AuthLineSource now surface the error instead of growing unbounded or looping forever.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application connects to an untrusted D-Bus peer.

Background info

dbus-fast is vulnerable to Denial of Service (DoS) in versions 1.0.0 - 4.2.4.

How to fix this

Upgrade the dbus-fast library to the patch version.