Vulnerability in Tornado Web Framework Allows Buffer Overread
CVE-2026-49854

5.3MEDIUM

Key Information:

Vendor

Tornadoweb

Status
Vendor
CVE Published:
14 July 2026

What is CVE-2026-49854?

The Tornado web framework and asynchronous networking library contains a vulnerability in its optional native extension, tornado.speedups. This issue arises from the websocket_mask function not validating the mask argument to ensure it is exactly four bytes. As a result, this could lead to the C function reading past the end of the provided buffer during Tornado XSRF token decoding when the native extension is active. This vulnerability has been addressed in Tornado version 6.5.6, which includes the necessary validation to prevent such buffer overreads.

Affected Version(s)

tornado < 6.5.6

References

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.