CVE-2026-9147
scikit-hep · uproot
A code injection vulnerability in uproot allows malicious ROOT files to execute arbitrary code during runtime by exploiting the dynamic generation of Python classes from TStreamerInfo records.
Executive summary
The uproot library is susceptible to arbitrary code execution when processing untrusted ROOT files, posing a high risk to local systems.
Vulnerability
The software dynamically generates and compiles Python code based on TStreamerInfo metadata (CWE-94), which can be manipulated by an attacker to achieve remote or local code execution with the privileges of the user running the process.
Business impact
With a CVSS score of 7.8, this vulnerability represents a high risk to data processing environments. If an attacker can provide a maliciously crafted ROOT file to a victim, they could gain full control over the local execution environment, leading to data exfiltration or system compromise.
Remediation
Immediate Action: Restrict the processing of ROOT files to only those from trusted and verified sources until a patch is applied by the maintainers.
Proactive Monitoring: Monitor system processes for unusual child processes or unexpected code execution events originating from the Python interpreter during data analysis tasks.
Compensating Controls: Execute untrusted data analysis tasks within a sandboxed environment or a container with minimal privileges to limit the impact of a potential compromise.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Users of the uproot library should exercise extreme caution when handling external or untrusted data files. It is recommended to monitor the official scikit-hep repository for security patches and apply them as soon as they become available.