Description
Ray is an AI compute engine. From version 2.54.0 to before version 2.55.0, Ray Data registers custom Arrow extension types (ray.data.arrow_tensor, ray.data.arrow_tensor_v2, ray.data.arrow_variable_shaped_tensor) globally in PyArrow. When PyArrow reads a Parquet file containing one of these extension types, it calls __arrow_ext_deserialize__ on the field's metadata bytes. Ray's implementation passes these bytes directly to cloudpickle.loads(), achieving arbitrary code execution during schema parsing, before any row data is read. This issue has been patched in version 2.55.0.
Published: 2026-05-08
Score: 8.9 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in Ray’s handling of custom PyArrow extension types during Parquet file parsing. When a Parquet file contains one of the Ray‑specific Arrow extension types, Ray calls __arrow_ext_deserialize__ on metadata bytes and directly passes them to cloudpickle.loads(). This deserialization bypasses safety checks and allows arbitrary Python code to execute with whatever privileges Ray is running under, leading to full compromise of the host system.

Affected Systems

Ray versions starting from 2.54.0 up to, but not including, 2.55.0 are affected. The impact applies to any environment where Ray registers the custom extension types globally in PyArrow and processes external Parquet files.

Risk and Exploitability

The CVSS score of 8.9 indicates high severity. The EPSS score is not available, so the actual exploitation frequency is unclear, and Ray is not listed in the CISA KEV catalog. The likely attack vector is inferred: an adversary who can supply a crafted Parquet file to a Ray application will trigger the unsafe deserialization path, delivering remote code execution before any row data is read. A patch is available in Ray 2.55.0, which removes the unsafe deserialization.

Generated by OpenCVE AI on May 8, 2026 at 23:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Ray to version 2.55.0 or later.
  • Ensure Ray is configured to avoid processing untrusted Parquet files, e.g., validate file origins before loading.
  • If upgrading immediately is not possible, temporarily disable the registration of Ray’s custom Arrow extension types in PyArrow until a patch is applied.

Generated by OpenCVE AI on May 8, 2026 at 23:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mw35-8rx3-xf9r Ray: Remote Code Execution via Parquet Arrow Extension Type Deserialization
History

Fri, 08 May 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Ray Project
Ray Project ray
Vendors & Products Ray Project
Ray Project ray

Fri, 08 May 2026 22:00:00 +0000

Type Values Removed Values Added
Description Ray is an AI compute engine. From version 2.54.0 to before version 2.55.0, Ray Data registers custom Arrow extension types (ray.data.arrow_tensor, ray.data.arrow_tensor_v2, ray.data.arrow_variable_shaped_tensor) globally in PyArrow. When PyArrow reads a Parquet file containing one of these extension types, it calls __arrow_ext_deserialize__ on the field's metadata bytes. Ray's implementation passes these bytes directly to cloudpickle.loads(), achieving arbitrary code execution during schema parsing, before any row data is read. This issue has been patched in version 2.55.0.
Title Ray: Remote Code Execution via Parquet Arrow Extension Type Deserialization
Weaknesses CWE-502
CWE-94
References
Metrics cvssV4_0

{'score': 8.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Ray Project Ray
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T21:46:14.442Z

Reserved: 2026-04-20T16:14:19.007Z

Link: CVE-2026-41486

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T22:16:29.903

Modified: 2026-05-08T22:16:29.903

Link: CVE-2026-41486

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T23:30:15Z

Weaknesses