Tornado is a Python web framework and asynchronous networking library. Prior to 6.5.6, the optional native extension tornado.speedups implemented websocket_mask without validating that the mask argument is exactly four bytes, allowing the C function to read up to three bytes beyond the provided buffer when reached through Tornado XSRF token decoding with the native extension active. This issue is fixed in version 6.5.6.
History

Thu, 16 Jul 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
References
Metrics threat_severity

None

threat_severity

Moderate


Wed, 15 Jul 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Tornadoweb
Tornadoweb tornado
Vendors & Products Tornadoweb
Tornadoweb tornado

Wed, 15 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 14 Jul 2026 21:00:00 +0000

Type Values Removed Values Added
Description Tornado is a Python web framework and asynchronous networking library. Prior to 6.5.6, the optional native extension tornado.speedups implemented websocket_mask without validating that the mask argument is exactly four bytes, allowing the C function to read up to three bytes beyond the provided buffer when reached through Tornado XSRF token decoding with the native extension active. This issue is fixed in version 6.5.6.
Title Tornado: Out-of-bounds memory access in C extension
Weaknesses CWE-126
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-07-14T20:43:03.977Z

Updated: 2026-07-15T13:26:39.749Z

Reserved: 2026-06-01T22:03:19.640Z

Link: CVE-2026-49854

cve-icon Vulnrichment

Updated: 2026-07-15T13:23:14.145Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-07-14T20:43:03Z

Links: CVE-2026-49854 - Bugzilla