Vulnerability in Tornado Web Framework Allows Buffer Overread
CVE-2026-49854
5.3MEDIUM
What is CVE-2026-49854?
The Tornado web framework and asynchronous networking library contains a vulnerability in its optional native extension, tornado.speedups. This issue arises from the websocket_mask function not validating the mask argument to ensure it is exactly four bytes. As a result, this could lead to the C function reading past the end of the provided buffer during Tornado XSRF token decoding when the native extension is active. This vulnerability has been addressed in Tornado version 6.5.6, which includes the necessary validation to prevent such buffer overreads.
Affected Version(s)
tornado < 6.5.6
