Intel

AIKIDO-2026-597441

qiskit is vulnerable to Denial of Service (DoS)

Denial of Service (DoS)CVE-2026-4870 Published 3 days ago

75

High Risk

This Affects:

PYTHONqiskit
0.43.0 - 1.4.5
Fixed in 1.4.6
2.0.0 - 2.4.1
Fixed in 2.4.2
Are you affected? Scan for Free

TL;DR

The OpenQASM 2 importer functions qiskit.qasm2.load and qiskit.qasm2.loads parse classical expressions with a recursive operator-precedence parser. When given a program containing deeply nested expressions, such as an arbitrarily long run of parentheses, the expression subparser recurses without bound and exhausts the native stack. This causes a stack-overflow segmentation fault that abruptly crashes the interpreter process, allowing a denial of service through crafted OpenQASM 2 input. The fix threads a recursion-depth limit derived from sys.getrecursionlimit() through the parser and raises a Python RecursionError before the stack is exhausted.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and you parse untrusted OpenQASM 2 program text with qiskit.qasm2.load or qiskit.qasm2.loads.

Background info

qiskit is vulnerable to Denial of Service (DoS) in versions 0.43.0 - 1.4.5 and 2.0.0 - 2.4.1.

How to fix this

Upgrade the qiskit library to the patch version.