CVE-2026-49854
Tornado: Out-of-bounds memory access in C extension
CVSS Score
5.3
EPSS Score
0.0%
EPSS Percentile
0th
Tornado is a Python web framework and asynchronous networking library. Prior to 6.5.6, the optional native extension tornado.speedups implemented websocket_mask without validating that the mask argument is exactly four bytes, allowing the C function to read up to three bytes beyond the provided buffer when reached through Tornado XSRF token decoding with the native extension active. This issue is fixed in version 6.5.6.
| CWE | CWE-126 |
| Vendor | tornadoweb |
| Product | tornado |
| Published | Jul 14, 2026 |
| Last Updated | Jul 15, 2026 |
Stay Ahead of the Next One
Get instant alerts for tornadoweb tornado
Be the first to know when new medium vulnerabilities affecting tornadoweb tornado are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
Affected Versions
tornadoweb / tornado
< 6.5.6
References
github.com: https://github.com/tornadoweb/tornado/security/advisories/GHSA-cx3h-4qpv-8hc9 github.com: https://github.com/tornadoweb/tornado/pull/3626 github.com: https://github.com/tornadoweb/tornado/commit/96dc88c2a05705287856b2cd6b4b4034f9a6aaac github.com: https://github.com/tornadoweb/tornado/releases/tag/v6.5.6