Hi, The following vulnerability was published for dask. CVE-2026-10705[0]: | A flaw has been found in dask up to 3.0. Affected by this issue is | the function nunique_approx of the file | dask/dataframe/hyperloglog.py of the component HLL Handler. This | manipulation causes resource consumption. The attack is possible to | be carried out remotely. A high degree of complexity is needed for | the attack. The exploitation is known to be difficult. The pull | request to fix this issue awaits acceptance. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-10705 https://www.cve.org/CVERecord?id=CVE-2026-10705 [1] https://github.com/dask/dask/issues/12403 [2] https://github.com/dask/dask/pull/12401 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
This is likely a non-issue. Cf. https://github.com/dask/dask/issues/12403#issuecomment-4640315993 Regards, Salvatore
I wondered about that comment too. I did subscribe to the bug, on the chance upstream decides to incorporate a fix. The discussion seems to imply it's a currently a fairly low risk and mostly would lead to performance issues or resource exhaustion.
Hi Diane, Thanks for your quick followup. I have marked the issue as no-dsa, because the risks is indeed fairly low. I wonder what upstream aims to do if they consider the CVE invalid, or just low risk and will fix it at some point. In the later case we can then simply update to the verion incorporating the fix and as well further ignore stable for it. Let me know about your thoughts. Regards, Salvatore