Description
IBM Qiskit SDK 0.43.0 through 2.5.0 could allow an attacker to trigger a segmentation fault leading to a denial of service due to uncontrolled recursion in the parser.
Published: 2026-06-12
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

IBM Qiskit SDK 0.43.0 through 2.5.0 contains a flaw in its OpenQASM 2 parser where handling complex classical expressions can trigger uncontrolled recursion. This recursion can exceed Python’s stack limit, causing a segmentation fault that aborts the process and results in a denial of service. The vulnerability is a classic example of CWE‑674, Uncontrolled Recursion.

Affected Systems

Vendors affected: IBM. Product: Qiskit SDK. Versions vulnerable: 0.43.0 to 2.5.0 inclusive. The issue is mitigated in Qiskit v1.4.6 and v2.4.2, which incorporate a recursion limit check.

Risk and Exploitability

Based on the description, the likely attack vector is the delivery of a malicious QASM file to a vulnerable SDK instance. The CVSS score of 7.5 indicates high severity, and while the EPSS score is not available, the lack of a CISA KEV listing suggests no active exploitation has been reported. Attackers only need to supply a malicious QASM file that exploits deep classical expressions; no privileged access or network exploits are required beyond delivery of the input to a vulnerable instance of the SDK. Given the high impact and straightforward exploitation path, the risk remains significant for systems that parse untrusted QASM data.

Generated by OpenCVE AI on June 12, 2026 at 23:05 UTC.

Remediation

Vendor Solution

Remediation/Fixes guidance: The issue is addressed in Qiskit versions v1.4.6 and v2.4.2. These are patched to error with a Python-space RecursionError exception once the expression depth exceeds the Python recursion limit which can be queried with sys.getrecursionlimit(). This limit can be adjusted by calling sys.setrecursionlimit(). Future versions of Qiskit may remove this limit entirely with a non-recursive version of the OpenQASM 2 parser. Product(s)Version(s) number and/or range Remediation/Fix/Instructions<Qiskit SDK - qiskit.qasm2.loads() function>v1.4.6 and v2.4.2 Upgrade to the patched versions: qiskit v1.4.6 or qiskit v2.4.2. <Qiskit SDK - QuantumCircuit.from_qasm_str function>v1.4.6 and v2.4.2 Upgrade to the patched versions: qiskit v1.4.6 or qiskit v2.4.2. <Qiskit SDK - QuantumCircuit.from_qasm_str function>v1.4.6 and v2.4.2 Upgrade to the patched versions: qiskit v1.4.6 or qiskit v2.4.2.

Vendor Workaround

Workarounds/Mitigation guidance: None

OpenCVE Recommended Actions

  • Upgrade to Qiskit v1.4.6 or v2.4.2, which enforce a recursion limit and raise a RecursionError instead of crashing
  • If upgrades cannot be performed immediately, scan all externally supplied QASM files for overly deep expression trees and reject or truncate them before parsing
  • Apply application‑level input validation to limit the depth or complexity of classical expressions processed by the SDK
  • Consider isolating Qiskit parsing in a sandboxed environment to contain potential segmentation faults

Generated by OpenCVE AI on June 12, 2026 at 23:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 23:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-674

Fri, 12 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description IBM Qiskit SDK 0.43.0 through 2.5.0 could allow an attacker to trigger a segmentation fault leading to a denial of service due to uncontrolled recursion in the parser.
Title Qiskit SDK is vulnerable to specific functions may recurse too deeply and overflow the available stack space, when encountering certain classical expressions.
First Time appeared Ibm
Ibm qiskit Sdk
CPEs cpe:2.3:a:ibm:qiskit_sdk:0.43.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:qiskit_sdk:2.5.0:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm qiskit Sdk
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Ibm Qiskit Sdk
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-06-12T20:52:58.528Z

Reserved: 2026-03-25T21:23:18.986Z

Link: CVE-2026-4870

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-12T21:16:23.963

Modified: 2026-06-12T21:16:23.963

Link: CVE-2026-4870

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T23:15:10Z

Weaknesses