Intel

AIKIDO-2026-988515

pygeohash is vulnerable to Out-of-Bounds Read

Out-of-Bounds Read Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jul 2, 2026

41

Medium Risk

This Affects:

PYTHONpygeohash
3.0.0 - 3.2.2
Fixed in 3.3.0
Are you affected? Scan for Free

TL;DR

The C extension decoder in pygeohash.cgeohash.geohash_module indexes a fixed 128-entry base32_decode_map table using each input byte cast to a signed int. When a geohash string contains a byte >= 128 (for example multibyte UTF-8), that cast produces a negative index and the decoder reads outside the lookup table. The out-of-bounds read can yield incorrect decode results and, depending on process memory layout, undefined behavior. The fix casts each character to unsigned char and rejects any byte >= 128 with ValueError("Invalid character in geohash") before the table lookup.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application decodes untrusted geohash strings.

Background info

pygeohash is vulnerable to Out-of-Bounds Read in versions 3.0.0 - 3.2.2.

How to fix this

Upgrade the pygeohash library to the patch version.