Description
A flaw has been found in dask up to 3.0. Affected by this issue is the function nunique_approx of the file dask/dataframe/hyperloglog.py of the component HLL Handler. This manipulation causes resource consumption. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. The exploitation is known to be difficult. The pull request to fix this issue awaits acceptance.
Published: 2026-06-03
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability in Dask’s hyperloglog.py allows an attacker to cause excessive resource consumption by manipulating the nunique_approx function. The flaw is a high‑complexity flaw that can be targeted remotely, but it requires specialized input and is known to be difficult to exploit. Successful exploitation would lead to significant CPU or memory usage, potentially rendering a system unresponsive.

Affected Systems

The issue affects Dask releases up to version 3.0. The vulnerability exists in the HLL handler component, specifically the nunique_approx function. No other Dask versions are listed, and the fix is pending merge in a pending pull request.

Risk and Exploitability

The CVSS score for this bug is 2.3, indicating a low severity. EPSS information is not available, and the issue is not listed in CISA’s KEV catalog. Remote exploitation is theoretically possible, but the high complexity and known difficulty of exploitation mean that the overall risk is modest. Nonetheless, attackers could still leverage resource exhaustion to disrupt service availability if the flaw is successfully triggered.

Generated by OpenCVE AI on June 3, 2026 at 03:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched Dask version once the pending pull request is merged or install the latest pre‑release containing the fix.
  • Restrict or disable the use of nunique_approx in untrusted or external code paths to prevent manipulation.
  • Implement resource limits—such as cgroups or container quotas—and monitor system metrics for abnormal CPU or memory usage to mitigate potential denial of service.

Generated by OpenCVE AI on June 3, 2026 at 03:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description A flaw has been found in dask up to 3.0. Affected by this issue is the function nunique_approx of the file dask/dataframe/hyperloglog.py of the component HLL Handler. This manipulation causes resource consumption. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. The exploitation is known to be difficult. The pull request to fix this issue awaits acceptance.
Title dask HLL hyperloglog.py nunique_approx resource consumption
First Time appeared Dask
Dask dask
Weaknesses CWE-400
CWE-404
CPEs cpe:2.3:a:dask:dask:*:*:*:*:*:*:*:*
Vendors & Products Dask
Dask dask
References
Metrics cvssV2_0

{'score': 2.1, 'vector': 'AV:N/AC:H/Au:S/C:N/I:N/A:P/E:ND/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.1, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:X/RC:R'}

cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:X/RC:R'}

cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X'}

Subscriptions

Dask Dask
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-03T14:11:44.133Z

Reserved: 2026-06-02T17:46:25.630Z

Link: CVE-2026-10705

cve-icon Vulnrichment

Updated: 2026-06-03T14:11:39.991Z

cve-icon NVD

Status : Received

Published: 2026-06-03T02:16:17.397

Modified: 2026-06-03T02:16:17.397

Link: CVE-2026-10705

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T10:54:13Z

Weaknesses