HIGH
ray-project
CVE published 2026-05-08
CVE-2026-41486
Ray Data in versions 2.54.0 through 2.54.x registers custom PyArrow extension types globally. When PyArrow parses a Parquet file schema containing these extension types, the `__arrow_ext_deserialize__` method passes metadata bytes directly to `cloudpickle.loads()`, enabling arbitrary code execution during schema parsing before any row data is read. This deserialization of untrusted data (CWE-502) allows c [truncated]