CVE-2026-49854: CWE-126: Buffer Over-read in tornadoweb tornado
A buffer over-read vulnerability exists in the Tornado Python web framework's native extension tornado.speedups prior to version 6.5.6. The issue arises because the websocket_mask function does not validate that the mask argument is exactly four bytes, potentially causing the C function to read up to three bytes beyond the provided buffer during Tornado XSRF token decoding. This vulnerability is fixed in Tornado version 6.5.6.
AI Analysis
Technical Summary
CVE-2026-49854 is a buffer over-read vulnerability (CWE-126) in the Tornado web framework's optional native extension tornado.speedups. Specifically, the websocket_mask function fails to validate the length of the mask argument, which should be exactly four bytes. When the native extension is active and Tornado's XSRF token decoding invokes this function, it may read up to three bytes beyond the intended buffer boundary. This flaw affects all Tornado versions prior to 6.5.6 and is resolved in version 6.5.6.
Potential Impact
The vulnerability allows a read of memory beyond the intended buffer, which may lead to information disclosure of adjacent memory contents. The CVSS v3.1 score is 5.3 (medium severity), reflecting that the impact is limited to confidentiality loss without integrity or availability impact. There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade Tornado to version 6.5.6 or later, where this buffer over-read issue in the native extension is fixed. No other mitigations are indicated or required.
CVE-2026-49854: CWE-126: Buffer Over-read in tornadoweb tornado
Description
A buffer over-read vulnerability exists in the Tornado Python web framework's native extension tornado.speedups prior to version 6.5.6. The issue arises because the websocket_mask function does not validate that the mask argument is exactly four bytes, potentially causing the C function to read up to three bytes beyond the provided buffer during Tornado XSRF token decoding. This vulnerability is fixed in Tornado version 6.5.6.
CVSS v3.1
Score 5.3medium
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-49854 is a buffer over-read vulnerability (CWE-126) in the Tornado web framework's optional native extension tornado.speedups. Specifically, the websocket_mask function fails to validate the length of the mask argument, which should be exactly four bytes. When the native extension is active and Tornado's XSRF token decoding invokes this function, it may read up to three bytes beyond the intended buffer boundary. This flaw affects all Tornado versions prior to 6.5.6 and is resolved in version 6.5.6.
Potential Impact
The vulnerability allows a read of memory beyond the intended buffer, which may lead to information disclosure of adjacent memory contents. The CVSS v3.1 score is 5.3 (medium severity), reflecting that the impact is limited to confidentiality loss without integrity or availability impact. There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade Tornado to version 6.5.6 or later, where this buffer over-read issue in the native extension is fixed. No other mitigations are indicated or required.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-06-01T22:03:19.640Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a56a08668715ace432de5e4
Added to database: 07/14/2026, 20:48:06 UTC
Last enriched: 07/14/2026, 21:07:59 UTC
Last updated: 07/14/2026, 21:07:59 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.