On Sat, Jun 06, 2026 at 09:26:38PM +0200, Salvatore Bonaccorso wrote: > Source: dask > Version: 2024.12.1+dfsg-3 > Severity: important > Tags: security upstream > Forwarded: https://github.com/dask/dask/issues/12403 > X-Debbugs-Cc: [email protected], Debian Security Team > <[email protected]> > Control: found -1 2024.12.1+dfsg-2 > > Hi, > > The following vulnerability was published for dask. > > CVE-2026-10705[0]: > | A flaw has been found in dask up to 3.0. Affected by this issue is > | the function nunique_approx of the file > | dask/dataframe/hyperloglog.py of the component HLL Handler. This > | manipulation causes resource consumption. The attack is possible to > | be carried out remotely. A high degree of complexity is needed for > | the attack. The exploitation is known to be difficult. The pull > | request to fix this issue awaits acceptance. > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2026-10705 > https://www.cve.org/CVERecord?id=CVE-2026-10705 > [1] https://github.com/dask/dask/issues/12403 > [2] https://github.com/dask/dask/pull/12401 > > Please adjust the affected versions in the BTS as needed.
This is likely a non-issue. Cf. https://github.com/dask/dask/issues/12403#issuecomment-4640315993 Regards, Salvatore
