Heap buffer over-read in GDALRaster
Summary
| CVE | CVE-2026-53877 |
|---|---|
| State | PUBLISHED |
| Assigner | DSF |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-07-07 15:16:48 UTC |
| Updated | 2026-07-07 16:16:40 UTC |
| Description | An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before 5.2.16. `django.contrib.gis.gdal.GDALRaster` over-reads its in-memory buffer when constructed from a bytes object, which can disclose adjacent memory or cause service degradation via a potential segmentation fault when the `vsi_buffer` property is accessed. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Bence Nagy for reporting this issue. |
Risk And Classification
Primary CVSS: v4.0 6.3 MEDIUM from 6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Problem Types: CWE-805 | CWE-805 CWE-805: Buffer Access with Incorrect Length Value
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | 6a34fbeb-21d4-45e7-8e0a-62b95bc12c92 | Secondary | 6.3 | MEDIUM | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/C... |
| 4.0 | CNA | DECLARED | 6.3 | MEDIUM | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N |
| 3.1 | 6a34fbeb-21d4-45e7-8e0a-62b95bc12c92 | Secondary | 4.8 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L |
| 3.1 | CNA | DECLARED | 4.8 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L |
CVSS v4.0 Breakdown
Attack Vector
NetworkAttack Complexity
LowAttack Requirements
PresentPrivileges Required
NoneUser Interaction
NoneConfidentiality
LowIntegrity
NoneAvailability
LowSub Conf.
NoneSub Integrity
NoneSub Availability
NoneCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
HighPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
LowIntegrity
NoneAvailability
LowCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Djangoproject | Django | affected 6.0 6.0.7 python | Not specified |
| CNA | Djangoproject | Django | unaffected 6.0.7 python | Not specified |
| CNA | Djangoproject | Django | affected 5.2 5.2.16 python | Not specified |
| CNA | Djangoproject | Django | unaffected 5.2.16 python | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| groups.google.com/g/django-announce | 6a34fbeb-21d4-45e7-8e0a-62b95bc12c92 | groups.google.com | |
| docs.djangoproject.com/en/dev/releases/security | 6a34fbeb-21d4-45e7-8e0a-62b95bc12c92 | docs.djangoproject.com | |
| www.djangoproject.com/weblog/2026/jul/07/security-releases | 6a34fbeb-21d4-45e7-8e0a-62b95bc12c92 | www.djangoproject.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Bence Nagy (en)
CNA: Jacob Walls (en)
CNA: Jacob Walls (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| CNA | 2026-06-02T12:00:00.000Z | Initial report received. |
| CNA | 2026-06-11T12:00:00.000Z | Vulnerability confirmed. |
| CNA | 2026-07-07T09:00:00.000Z | Security release issued. |
There are currently no legacy QID mappings associated with this CVE.