CVE-2026-53877 in Djangoinfo

Summary

by MITRE • 07/07/2026

An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before 5.2.16. `django.contrib.gis.gdal.GDALRaster` over-reads its in-memory buffer when constructed from a bytes object, which can disclose adjacent memory or cause service degradation via a potential segmentation fault when the `vsi_buffer` property is accessed. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Bence Nagy for reporting this issue.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/07/2026

This vulnerability affects Django's geographic information system component, specifically the GDALRaster class within django.contrib.gis.gdal module. The issue manifests when constructing a GDALRaster object from a bytes object without proper bounds checking, creating a classic buffer over-read condition that can lead to information disclosure or denial of service. The vulnerability exists in Django versions 6.0 before 6.0.7 and 5.2 before 5.2.16, with potentially affected unsupported versions including 5.0.x, 4.1.x, and 3.2.x series.

The technical flaw stems from improper memory management within the GDALRaster constructor when processing bytes input through the vsi_buffer property access. When a bytes object is passed to create a GDALRaster instance, the code fails to validate buffer boundaries before reading data into memory, allowing an attacker to potentially read adjacent memory locations or trigger segmentation faults. This over-read condition occurs during the internal buffer handling process where the application attempts to access memory beyond the allocated buffer space. The vulnerability aligns with CWE-129 Input Validation and Output Generation and represents a memory safety issue that can be exploited through crafted input data.

The operational impact of this vulnerability is significant for Django applications that utilize geographic data processing capabilities, particularly those handling untrusted input through GDALRaster operations. An attacker could potentially exploit this vulnerability to disclose sensitive information from adjacent memory regions, which might contain database credentials, session tokens, or other confidential application data. Additionally, the segmentation fault condition could cause service degradation or complete application crashes, leading to denial of service attacks against legitimate users. The vulnerability affects applications that process raster geographic data, making it particularly concerning for mapping services, geospatial analysis platforms, and any system relying on Django's GIS functionality.

Organizations should immediately upgrade to Django 6.0.7 or 5.2.16 to address this vulnerability, as these releases contain the necessary patches to prevent buffer over-read conditions in GDALRaster operations. The fix involves implementing proper bounds checking when processing bytes objects during GDALRaster construction and ensuring that memory access operations respect allocated buffer boundaries. Security teams should also conduct thorough code reviews of any custom implementations that directly interact with GDALRaster or similar geographic data processing components, as described in the ATT&CK framework's techniques for privilege escalation through memory corruption vulnerabilities. Organizations using unsupported Django versions should prioritize upgrading to supported releases to mitigate this and other potential security issues.

Responsible

DSF

Reservation

06/11/2026

Disclosure

07/07/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!